GitHub

An arbitrary file upload vulnerability in Mindoc v2.1-beta.5 allows attackers to execute arbitrary commands via a crafted Zip file.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-29637
https://github.com/mindoc-org/mindoc/issues/788
https://gith…

In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
References

https://nvd.nist.gov/vuln/detail/CVE-2022-29405
https://archiva.apache.org/docs/2.2.8/release-notes.html
https://github.com/advisories/G…

A cross-site scripting (XSS) vulnerability in /navigation/create?ParentID=%23 of ZKEACMS v3.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ParentID parameter.
References

https://nvd.nist.gov/vuln/…

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.
References

https://nvd.nist.gov/vuln/detail/CVE-2022…

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-30322
https://d…

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-30323
https://discuss.hashicorp.com…

HashiCorp go-getter before 2.0.2 allows Command Injection.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-26945
https://discuss.hashicorp.com
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
https…

When reading a TGA file with RLE packets that cross scan lines, Pillow reads the information past the end of the first line without deducting that from the length of the remaining file data. This vulnerability was introduced in Pillow 9.1.0, and can ca…

In ginadmin through 05-10-2022, the incoming path value is not filtered, resulting in arbitrary file reading.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-30428
https://github.com/gphper/ginadmin/issues/9
https://github.com/gphper/ginadmin/com…

In ginadmin through 05-10-2022 the incoming path value is not filtered, resulting in directory traversal.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-30427
https://github.com/gphper/ginadmin/issues/8
https://github.com/gphper/ginadmin/commit/…