Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutt…
[librenms/librenms] Command injection in librenms
LibreNMS v22.3.0 was discovered to contain multiple command injection vulnerabilities via the service_ip, hostname, and service_param parameters.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-29712
https://github.com/librenms/librenms/pull/1393…
[librenms/librenms] Cross site scripting in librenms
LibreNMS v22.3.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /Table/GraylogController.php.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-29711
https://github.com/librenms/librenms/pull/13931
https://gi…
[net.mingsoft:ms-mcms] Cross Site Request Forgery in Mingsoft MCMS
An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-29647
https://gist.github.com/aaaahuia/f708c6c8a320e0f3afbb92…
[devcert] Regular expression denial of service in devcert
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method
References
https://nvd.nist.gov/vuln/detail/CVE-2022-1929
https://…
[semver-regex] Regular expression denial of service in semver-regex
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method
References
https://nvd.nist.gov/vuln/detail/CVE-2021-43307
https://re…
[markdown-link-extractor] Regular expression denial of service in markdown-link-extractor
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the markdown-link-extractor npm package, when an attacker is able to supply arbitrary input to the module’s exported function
References
https://nvd.nist.gov/vuln/detail/C…
[jquery-validation] Regular expression denial of service in jquery-validation
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method
References
https://nvd.nist.gov/vuln/detail/CVE-2021-43306
https:/…
[s3-uploader] OS Command Injection in s3-uploader
OS command injection vulnerability in Turistforeningen node-s3-uploader through 2.0.3 for Node.js allows attackers to execute arbitrary commands via the metadata() function.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-34084
https://advisory.c…
[proctree] OS Command Injection in proctree
OS Command Injection vulnerability in allenhwkim proctree through 0.1.1 and commit 0ac10ae575459457838f14e21d5996f2fa5c7593 for Node.js, allows attackers to execute arbitrary commands via the fix function.
References
https://nvd.nist.gov/vuln/detail/C…