In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.
Re…
[octokit] Octokit gem published with world-writable files
Impact
Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files.
Specifically, the gem was packed with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r–r– (i.e. 0644). This means every…
[octopoller] Octopoller gem published with world-writable files
Impact
Version 0.2.0 of the octopoller gem was published containing world-writeable files. Specifically, the gem was packed with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r–r– (i.e. 0644).
This means everyone who is …
[thinkcmf/thinkcmf] Incorrect Authorization in thinkcmf
thinkcmf v5.1.7 has an unauthorized vulnerability. The attacker can modify the password of the administrator account with id 1 through the background user management group permissions. The use condition is that the background user management group auth…
[nocodb] Cross-site Scripting in NocoDB
Cross-site Scripting (XSS) – Stored in GitHub repository nocodb/nocodb prior to 0.91.9.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2079
https://github.com/nocodb/nocodb/commit/362f8f0869989bc13bdcd66c6fc9c86ac79b9992
https://huntr.dev/bounti…
[NuGet.Commands] Potential leak of NuGet.org API key
Description
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET Core 3.1, NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat version range from 3.5.0 to 6.2.0). This …
[strapi] Cross-site Scripting in Strapi
Strapi v3.x.x versions and earlier contain a stored cross-site scripting vulnerability in file upload function. By exploiting this vulnerability, an arbitrary script may be executed on the web browser of the user who is logging in to the product with t…
[francoisjacquet/rosariosis] SQL Injection in RosarioSIS
SQL Injection in GitHub repository francoisjacquet/rosariosis prior to 9.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2067
https://github.com/francoisjacquet/rosariosis/commit/15d5e8700d538935b5c411b2a1e25bcf7e16c47c
https://huntr.dev/bount…
[facturascripts/facturascripts] Cross-site Scripting in FacturaScripts
Cross-site Scripting (XSS) – Stored in GitHub repository neorazorx/facturascripts prior to 2022.06.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2065
https://github.com/neorazorx/facturascripts/commit/1d1edb40b40016d7fd2893b410b98569d7facca1
h…
[nocodb] Improper Privilege Management in NocoDB
Improper Privilege Management in GitHub repository nocodb/nocodb prior to 0.91.8.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2063
https://github.com/nocodb/nocodb/commit/269a19c2ad89a0e8a7596498e3806ff2ec1040c2
https://huntr.dev/bounties/156…