node-fetch is a light-weight module that brings window.fetch to node.js.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the isOriginPotentiallyTrustworthy() function in referrer.js, when processing a…
[github.com/runatlantis/atlantis/server/controllers/events] Atlantis Events prior to 0.19.7 vulnerable to Timing Attack
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow…
[prestashop/prestashop] PrestaShop eval injection possible if shop vulnerable to SQL injection
Impact
Eval injection possible if the shop is vulnerable to an SQL injection.
Patches
The problem is fixed in version 1.7.8.7
Workarounds
Delete the MySQL Smarty cache feature by removing these lines in the file config/smarty.config.inc.php lines 43-46…
[co.fs2:fs2-io] fs2-io skips mTLS client verification
Impact
When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds.
The vulnerability is limited to:
fs2-io running on Node.js. T…
[feehi/cms] Feehi CMS Cross-site Scripting
A stored cross-site scripting (XSS) vulnerability in /index.php?r=site%2Fsignup of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username field.
References
https://nvd.nist.gov/vuln/…
[org.apache.calcite.avatica:avatica-core] Apache Calcite Avatica JDBC driver arbitrary code execution
Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via httpclient_impl connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which ca…
[mongoose] Prototype pollution Schema.path in automattic/mongoose
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.\n\nAffected versions of this package are vulnerable to Prototype Pollution. The Schema.path() function is vulnerable to prototype pollution when setting the sch…
[reqmon] WMAgent arbitrary code execution via a crafted dbs-client package
WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr2 1.4.1rc5 and 1.4.0rc2, reqmon 1.4.1rc5, and global-workqueue 1.4.1rc5 allows attackers to execute arbitrary code via a crafted dbs-client package.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-34558
https…
[feehi/cms] Feehi CMS arbitrary code execution via crafted PHP file
An arbitrary file upload vulnerability in the Advertising Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary code via a crafted PHP file.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-34971
https://github.com/liufee/cms…
[shopware/shopware] Shopware vulnerable to persistent cross site scripting (XSS) in customer module
Impact
Persistent XSS in customer module
Patches
We recommend updating to the current version 5.7.14. You can get the update to 5.7.14 regularly via the Auto-Updater or directly via the download overview.
For older versions you can use the Security Plu…