GitHub

Impact
When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately.
This is a s…

Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of expressions with high nesting level that lead to StackOverFlow exception or high CPU and RAM usage. Exploiting this vulnerability results in Denial O…

There is a Cross Site Scripting Stored (XSS) vulnerability in NukeViet CMS before 4.5.02.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-30874
https://github.com/nukeviet/nukeviet/commit/1f328bb8cd256f88bd45fc3ec5a50ae951da2501
https://nukeviet….

Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS).
References

https://nvd.nist.gov/vuln/detail/CVE-2021-41924
https://github.com/krayin/laravel-crm/pull/195/commits/882dc2e7e7e9149b96cf1ccacf34900960b92fb7
https://github.com/a…

Impact
All versions of Argo CD starting with v0.7.0 are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service. The repo-server is a critical component of Argo CD, so crashing the re…

Impact
When parsing untrusted rulex expressions, rulex may crash, possibly enabling a Denial of Service attack. This happens when the expression contains a multi-byte UTF-8 code point in a string literal or after a backslash, because rulex tries to sli…

Impact
Authorization and Cookie headers on requests are sensitive information. On making a request which responds with a redirect to a URI with a different port, if we choose to follow it, we should remove the Authorization and Cookie headers from the …

Impact
An attacker can send a request to an app using NextAuth.js with an invalid callbackUrl query parameter, which internally we convert to a URL object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causi…

Impact
All unpatched versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD’s repo-server.
A malicious Argo CD user with write …

Impact
All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim’s …