Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
References
https://nvd.nist.gov/vuln/detail/CVE-2021-44906
https://github.com/substack/minimist/issues/164
https://github.com/substack/minimis…
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed fo…
Denial of service (DoS) vulnerability in Nicotine+ starting with version 3.0.3 and prior to version 3.2.1 allows a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character.
…
FreeTAKServer-UI v1.9.8 was discovered to contain a SQL injection vulnerability via the API endpoint /AuthenticateUser.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25506
https://github.com/FreeTAKTeam/UI/issues/27
https://github.com/advisorie…
FreeTAKServer-UI v1.9.8 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Callsign parameter.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25507
https://github.com/FreeTAKTeam/UI/issues/28
https://github.com/a…
Apache Spark supports end-to-end encryption of RPC connections via “spark.authenticate” and “spark.network.crypto.enabled”. In versions 3.1.2 and earlier, it uses a bespoke mutual authentication protocol that allows for full encryption key recovery. Af…
The Active Storage module of Rails starting with version 5.2.0 are possibly vulnerable to code injection. This issue was patched in versions 5.2.6.3, 6.0.4.7, 6.1.4.7, and 7.0.2.3. To work around this issue, applications should implement a strict allow…
This is a cross-post of the official security advisory. The official advisory contains a signed version with our PGP key, as well.
The Rust Security Response WG was notified that the regex crate did not properly limit the complexity of the regular ex…
In the IsolatedRazorEngine component of Antaris RazorEngine through 4.5.1-alpha001, an attacker can execute arbitrary .NET code in a sandboxed environment (if users can externally control template contents). NOTE: This vulnerability only affects produc…
jQuery Cookie 1.4.1 is affected by prototype pollution, which can lead to DOM cross-site scripting (XSS).
References
https://nvd.nist.gov/vuln/detail/CVE-2022-23395
https://snyk.io/test/npm/jquery.cookie/1.4.1?tab=issues
https://security.netapp.com/ad…
