Impact
Users of versions 9.8.5, 9.8.6, 9.9.0 and previously published prereleases of 10.0.0 who have used either one of the two RequireDisCatSharpDeveloperAttributes or the BaseDiscordClient.LibraryDeveloperTeam have potentially had their bot token sen…
[Yarp.ReverseProxy] YARP Denial of Service Vulnerability
Impact
A denial of service vulnerability exists in how YARP processes input.
Patches
If you’re using YARP 1.0.0, you should update to NuGet package version 1.0.1.
If you’re using YARP 1.1.0-RC.1, you should update to NuGet package version 1.1.0-rc.1.22…
[ckb] Dep Group Remote Memory Exhaustion (Denial of Service) in ckb
Impact
A remote attacker could exploit this vulnerability to exhaust ckb process memory of an affected node.
Patches
Upgrade to 0.43.1 or later.
References
After resolving the outpoints of one dep group, we put the corresponding content into a vec ( ht…
[afire] Relative Path Traversal in afire serve_static
Impact
This vulnerability effects the built-in afire serve_static extension allowing paths containing //…. to bypass the previous path sanitation and request files in higher directories that should not be accessible.
Patches
The issue has been fixed …
[rails] Cross site scripting in rails
A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.
References
https://nvd.nist.gov/vuln/detail/CVE-2011-1497
https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionp…
[Simple-Wayland-HotKey-Daemon] Exposure of Resource to Wrong Sphere in Simple-Wayland-HotKey-Daemon
SWHKD 1.1.5 allows arbitrary file-existence tests via the -c option.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-27814
https://github.com/waycrate/swhkd/releases
https://www.openwall.com/lists/oss-security/2022/04/14/1
https://github.com/wayc…
[Simple-Wayland-HotKey-Daemon] Exposure of Resource to Wrong Sphere in Simple-Wayland-HotKey-Daemon
SWHKD 1.1.5 consumes the keyboard events of unintended users. This could potentially cause an information leak, but is usually a denial of functionality.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-27817
https://github.com/waycrate/swhkd/rele…
[npm-dependency-versions] Command injection in npm-dependency-versions
The npm-dependency-versions package through 0.3.0 for Node.js allows command injection if an attacker is able to call dependencyVersions with a JSON object in which pkgs is a key, and there are shell metacharacters in a value.
References
https://nvd.n…
[System.Security.Cryptography.X509Certificates] Improper Certificate Validation
.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remotely cause a denial of service attack against a .NET Core web application by improperly parsing certificate data. A denial of service vulnerability exists when .NET Core improperly ha…
[Bond.Core.CSharp] Infinite loop in .Net Bond
A denial of service vulnerability exists when the .NET implementation of Bond improperly parses input, aka ‘Bond Denial of Service Vulnerability’. Handling of large container lengths that could cause an infinite loop when deserializing some payloads.
R…