Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO. Someone must open a link for the Teampass Password Manager index page containing malicious payload.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-26980
https://gist.github.com/RN…
Falcon-plus v0.3 was discovered to contain a SQL injection vulnerability via the parameter grpName in /config/service/host.go.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-26245
https://github.com/open-falcon/falcon-plus/issues/951
https://git…
Util/PHP/eval-stdin.php in PHPUnit starting with 4.8.19 and before 4.8.28, as well as 5.x before 5.6.3, allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a <?php substring, as demonstrated by an attack on a sit…
A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure custom CA to verify certs, kubeclient ends up a…
Impact
What kind of vulnerability is it?
Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter Server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, st…
An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from this vulnerability is to data confidentiality and inte…
An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the www_authenticate_uri parameter (which is visible to all end users) in confi…
Poetry prior to v1.1.9 was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute Poetry commands in a directory containing malicious content. This vulnerability occurs when the appli…
simple-plist v1.3.0 was discovered to contain a prototype pollution vulnerability via .parse().
References
https://nvd.nist.gov/vuln/detail/CVE-2022-26260
https://github.com/wollardj/simple-plist/issues/60
https://github.com/wollardj/simple-plist/issu…
In Paramiko before 2.10.1, a race condition (between creation and chmod) in the write_private_key_file function could allow unauthorized information disclosure.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-24302
https://github.com/paramiko/par…
