LiquidJS is a Shopify/GitHub Pages compatible template engine written in pure JavaScript. Versions 10.25.7 and below are vulnerable to XSS through a flaw in the strip_html filter logic. The strip_html filter is intended to remove HTML tags from a string before rendering, and is widely used as an XSS...
Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`
Yamcs has No Rate Limiting on Authentication Endpoint
Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints
CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. In lib/carrierwave/up...
Kata Containers have VM Escape via virtiofsd Argument Injection through Default-Enabled Pod Annotations
Kirby CMS has pre-authentication path traversal and PHP file inclusion during user lookup
Kirby CMS's `pages.access` permission is not checked during rendering of page drafts
Kirby CMS vulnerable to cross-site scripting (XSS) from list field content in the site frontend
Kirby CMS has an Arbitrary Method Call via REST API Search and Collection Query Endpoints
FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass
FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue
FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection
Yamcs is a mission control framework. Prior to versions 5.13.0 and 5.12.7, an LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping. Versions 5.13....
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linke...
A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improper access controls. The attack can be executed remotely. The exploit is now public and may be used. U...
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available. The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::...
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Version 0.06 changes the module from being a statsd...
Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass at...