The package github.com/containrrr/shoutrrr/pkg/util before 0.6.0 are vulnerable to Denial of Service (DoS) via the util.PartitionMessage function. Exploiting this vulnerability is possible by sending exactly 2000, 4000, or 6000 characters messages.
Ref…
[angular] Angular (deprecated package) Cross-site Scripting
All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of elements.</p>
<p>NPM package <a href=”https://www.npmjs.com/packag…
[terser] Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS
The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25858
https://github.com/te…
[distributed] Workers for local Dask clusters mistakenly listened on public interfaces
Versions of distributed earlier than 2021.10.0 had a potential security vulnerability relating to single-machine Dask clusters.
Clusters started with dask.distributed.LocalCluster or dask.distributed.Client() (which defaults to using LocalCluster) woul…
[github.com/cilium/cilium] Cilium host policy bypass in endpoint-routes mode with dual-stack
Impact
This vulnerability allows bypassing host policies for IPv6 traffic coming from a Cilium-managed pod and destined to the host-network namespace (e.g., to a host-network pod). Host policy enforcement on IPv4 or for traffic coming from outside the …
[shescape] Shescape vulnerable to insufficient escaping of whitespace
Impact
This only impacts users that use the escape or escapeAll functions with the interpolation option set to true. Example:
import cp from “node:child_process”;
import * as shescape from “shescape”;
// 1. Prerequisites
const options = {
shell: “ba…
[shescape] Shescape prior to 1.5.8 vulnerable to insufficient escaping of line feeds for CMD
Impact
This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows. An attacker can omit all arguments following their input by including a line feed character (‘\n’) in the payload. Example:
import cp from “node:…
[wintercms/winter] Bypass of CMS Safe Mode Security Feature
Impact
Authenticated users with permissions to create or modify theme template objects through the backend “CMS” editor can exploit this vulnerability to bypass the cms.enableSafeMode security feature if enabled (disables modification of PHP code throu…
[io.undertow:undertow-core] Undertow vulnerable to Denial of Service (DoS) attacks
Undertow client side invocation timeout raised when calling over HTTP2, this vulnerability can allow attacker to carry out denial of service (DoS) attacks in versions less than 2.2.15 Final.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-3859
ht…
[io.undertow:undertow-core] Undertow vulnerable to memory exhaustion due to buffer leak
Buffer leak on incoming WebSocket PONG message(s) in Undertow before 2.0.40 and 2.2.10 can lead to memory exhaustion and allow a denial of service.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-3690
https://github.com/undertow-io/undertow/commi…