HIGH

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-44621
https://lists.apache.org/thread/7ctchj24dofgsj9g1rg1245cms9myb34
https://github.com/…

A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file csrf.go. The manipulation of the argument Generate leads to sensitive cookie without secure attribute. The attack …

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.
References

https://nvd.nist.gov/vuln…

The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object.
This vulnerability pollutes the prototype o…

Impact
If you make use of the report receiver server (experimental), a client may be able to forge requests such that arbitrary files on the host can be overwritten (subject to permissions of the yapscan server), leading to loss of data. This is partic…

Impact
The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.
Patches
XStream 1.4.20 handles the stack overflow and raises…

Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-4808
https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53
https://huntr.dev/bounties/11…

usememos/memos 0.9.0 and prior is vulnerable to full account takeover via changing user name, email address, and display name.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-4809
https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a17…

In usememos/memos 0.9.0 and prior, a user with login permission can delete all notes of the whole application via API DELETE https://demo.usememos.com/api/memo/$idnote. The vulnerability will lose all user notes data throughout the system, causing dama…

usememos/memos 0.9.0 and prior is vulnerable to Improper Access Control.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-4803
https://github.com/usememos/memos/commit/3556ae4e651d9443dc3bb8a170dd3cc726517a53
https://huntr.dev/bounties/0fba72b9-db…