A Spring Data MongoDB application is vulnerable to SpEL Injection when using @Query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.
References
htt…
Impact
All versions of lettersanitizer below 1.0.2 are affected by a denial of service issue when processing a CSS at-rule @keyframes.
This package is depended on by react-letter, therefore everyone using react-letter is also at risk.
Patches
The probl…
Impact
A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of registered Kubernetes clusters, including the service account tokens in plain text from Weave…
Impact
Passing some special values to the filter and filterout parameters can cause an abnormally high CPU. Impact on the performance of the servers and RSSHub services.
Patches
It is fixed in 5c4177441417b44a6e45c3c63e9eac2504abeb5b , please update to…
Cross-site Scripting (XSS) – Reflected in GitHub repository microweber/microweber prior to 1.2.18.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2174
https://github.com/microweber/microweber/commit/c51285f791e48e536111cd57a9544ccbf7f33961
https…
Directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality, which allows a low privileged user to perform internal network port scans.
References
https://nvd.nist.gov/vuln/detai…
Impact
NVFLARE contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Deni…
Impact
NVFLARE contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote …
Impact
Pimcore offers developers listing classes to make querying data easier. This listing classes also allow to order or group the results based on one or more columns which should be quoted by default.
The actual issue is that quoting is not done p…
Impact
Authenticated Stored XSS in Administration
Patches
We recommend updating to version 5.7.12. You can get the update to 5.7.12 regularly via the Auto-Updater or directly via the download overview.
https://www.shopware.com/de/changelog-sw5/#5-7-12
…
