Potential security vulnerabilities have been identified in the HP One Agent for certain HP PC products, which might allow for escalation of privilege and/or denial of service. HP is releasing software updates to mitigate these potential vulnerabilities.
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did n...
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configu...
Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products fou...
Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-b...
Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce. The default nonce was generated using an MD5 hash of the epoch time, which is predictable.
Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.
Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.
Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.
Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.
Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.
Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions.
Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions.
Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions.
Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions.
Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.
Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
Customer Privilege Escalation in Dokan <= 5.0.2 versions.
Unauthenticated SQL Injection in GPTranslate โ Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions.
Unauthenticated Broken Access Control in Welcart e-Commerce <= 2.11.28 versions.