GitHub

Impact
Nonce Claim Value was not being validated against the nonce value sent in the Authentication Request.
Patches
Users should upgrade to version 5.0 immediately
Workarounds
None.
References

https://github.com/packbackbooks/lti-1-3-php-library/secu…

Impact
The function used to generate random nonces was not sufficiently cryptographically complex. As a result values may be predictable and tokens may be forgable.
Patches
Users should upgrade to version 5.0 immediately
Workarounds
None.
References

h…

Togglz is an implementation of the Feature Toggles pattern for Java. There is no CSRF protection in the togglz console and could allow an attacker to guess the CSRF token value. Version 2.9.4 adds the necessary CSRF protection.
References

https://nvd….

Overview
A partial-path traversal issue exists within the downloadDirectory method in the AWS S3 TransferManager component of the AWS SDK for Java v1. Applications using the SDK control the destinationDirectory argument, but S3 object keys are determin…

The com.fasterxml.jackson.core:jackson-databind library before versions 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class ignite-jta.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-…

Impact
Due to insufficient class name validation in GrapeJS library it’s possible to add executable JS code in class name through Selector Manager
Relates to

https://github.com/artf/grapesjs/issues/4411

Patch
Update GrapeJS dependency to >=v0.19.5…

Impact
fastify-bearer-auth does not securely use crypto.timingSafeEqual. A malicious attacker could estimate the length of one valid bearer token. According to the corresponding RFC 6750, the bearer token has only base64 valid characters, reducing the …

Impact
This vulnerability affects all accounts (vanilla and ethereum flavors) in the v0.2.0 release of OpenZeppelin Contracts for Cairo, which are not whitelisted on StarkNet mainnet, so only goerli deployments of v0.2.0 accounts are affected.
This fau…

In versions prior to 3.3.2, Hudson exhibits a flaw in its XML API processing that can allow access to potentially sensitive information on the filesystem of the Hudson master server.
References

https://nvd.nist.gov/vuln/detail/CVE-2015-8031
https://wi…

Impact
Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire.
Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.
Patches
1.1.30
Workarounds
Rotating …