Impact
Users of versions 9.8.5, 9.8.6, 9.9.0 and previously published prereleases of 10.0.0 who have used either one of the two RequireDisCatSharpDeveloperAttributes or the BaseDiscordClient.LibraryDeveloperTeam have potentially had their bot token sen…
[org.geoserver:gs-main] Improper Input Validation in GeoServer
Impact
The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located…
[xml2rfc] SVG with embedded scripts can lead to cross-site scripting attacks in xml2rfc
xml2rfc allows script elements in SVG sources.
In HTML output having these script elements can lead to XSS attacks.
Sample XML snippet:
<artwork type=”svg” src=”data:image/svg+xml,%3Csvg viewBox=’0 0 10 10′ xmlns=’http://www.w3.org/2000/svg’%3E%3Csc…
[vyper] Integer bounds error in Vyper
Impact
in the following code, the return of <iface>.returns_int128() is not validated to fall within the bounds of int128. as of v0.3.0, <iface>.returns_int128() is validated in simple expressions, but not complex expressions.
interface ifa…
[Yarp.ReverseProxy] YARP Denial of Service Vulnerability
Impact
A denial of service vulnerability exists in how YARP processes input.
Patches
If you’re using YARP 1.0.0, you should update to NuGet package version 1.0.1.
If you’re using YARP 1.1.0-RC.1, you should update to NuGet package version 1.1.0-rc.1.22…
[ckb] Dep Group Remote Memory Exhaustion (Denial of Service) in ckb
Impact
A remote attacker could exploit this vulnerability to exhaust ckb process memory of an affected node.
Patches
Upgrade to 0.43.1 or later.
References
After resolving the outpoints of one dep group, we put the corresponding content into a vec ( ht…
[afire] Relative Path Traversal in afire serve_static
Impact
This vulnerability effects the built-in afire serve_static extension allowing paths containing //…. to bypass the previous path sanitation and request files in higher directories that should not be accessible.
Patches
The issue has been fixed …
[composer/composer] Missing input validation can lead to command execution in composer
The Composer method VcsDriver::getFileContent() with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are us…
[github.com/git-lfs/git-lfs/v3] Git LFS can execute a binary from the current directory on Windows
Impact
On Windows, if Git LFS operates on a malicious repository with a ..exe file as well as a file named git.exe, and git.exe is not found in PATH, the ..exe program will be executed, permitting the attacker to execute arbitrary code. This does not …
[io.gitlab.arturbosch.detekt:detekt-core] XML External Entity Reference in detekt
Improper Restriction of XML External Entity Reference in GitHub repository detekt/detekt prior to 1.20.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-0272
https://github.com/detekt/detekt/commit/c965a8d2a6bbdb9bcfc6acfa7bbffd3da81f5395
https:…