There’s a possible vulnerability in logic that is run only at npm install time when installing versions of sharp prior to the latest v0.30.5.
This is not part of any runtime code, does not affect Windows users at all, and is unlikely to affect anyone t…
[SSH.NET] Weak private key generation in SSH.NET
During an X25519 key exchange, the client’s private is generated with System.Random:
var rnd = new Random();
_privateKey = new byte[MontgomeryCurve25519.PrivateKeySizeInBytes];
rnd.NextBytes(_privateKey);
Source: KeyExchangeECCurve25519.csSource commi…
[org.apache.tika:tika] Regular expression denial of service in apache tika
We failed to apply the fix for CVE-2022-30126 to the 1.x branch in the 1.28.2 release. In Apache Tika, a regular expression in the StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtrack…
[io.whitesource:curekit] Path traversal in CureKit
CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-23082
https://github.com/w…
[code.gitea.io/gitea] Stored Cross-site Scripting in gitea
Cross-site Scripting (XSS) – Stored in GitHub repository go-gitea/gitea prior to 1.16.9 via unfiltered pdfs
References
https://nvd.nist.gov/vuln/detail/CVE-2022-1928
https://github.com/go-gitea/gitea/commit/65e0688a5c9dacad50e71024b7529fdf0e3c2e9c
htt…
[protobufjs] Prototype Pollution in protobufjs
The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.
This vulnerability can occur in multiple ways:
by providing untrusted user input to util.setProper…
[rack] Denial of Service Vulnerability in Rack Multipart Parsing
There is a possible denial of service vulnerability in the multipart parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-30122.
Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0….
[rack] Possible shell escape sequence injection vulnerability in Rack
There is a possible shell escape sequence injection vulnerability in the Lint
and CommonLogger components of Rack. This vulnerability has been assigned the
CVE identifier CVE-2022-30123.
Versions Affected: All.
Not affected: None
Fixed Versions…
[@angular/core] Cross site scripting in Angular
A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might requ…
[com.jflyfox:jflyfox_jfinal] SQL injection in jflyfox jfinal
Jfinal cms 5.1.0 is vulnerable to SQL Injection.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-30500
https://github.com/jflyfox/jfinal_cms/issues/35
https://github.com/advisories/GHSA-595x-hh6c-hfv8