Impact
When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds.
The vulnerability is limited to:
fs2-io running on Node.js. T…
Impact
Executing deeply nested queries may cause stack overflow.
Patches
Upgrade to v4.0.6
References
https://github.com/async-graphql/async-graphql/security/advisories/GHSA-xq3c-8gqm-v648
https://github.com/async-graphql/async-graphql/commit/521769b8…
A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.
References
https://nvd.nist.gov/vuln/…
Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via httpclient_impl connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which ca…
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.\n\nAffected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the sch…
WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-34558
https…
An arbitrary file upload vulnerability in the Advertising Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary code via a crafted PHP file.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-34971
https://github.com/liufee/cms…
The webhook endpoint in Jenkins Git Plugin 4.11.3 and earlier provide unauthenticated attackers information about the existence of jobs configured to use an attacker-specified Git repository.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-36884
…
A missing permission check in Jenkins Git Plugin 4.11.3 and earlier allows unauthenticated attackers to trigger builds of jobs configured to use an attacker-specified Git repository and to cause them to check out an attacker-specified commit.
Reference…
Jenkins Git client plugin 3.11.0 and earlier does not perform SSH host key verification when connecting to Git repositories via SSH, enabling man-in-the-middle attacks. Git client plugin 3.11.1 provides strategies for performing host key verification f…
