usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Versions prior to 0.9.0 improperly maintain access control allowing an attacker to take over an account by changing header values in the HTTP request.
R…
[github.com/usememos/memos] usememos/memos vulnerable due to improper authentication
usememos/memos is an open-source, self-hosted memo hub with knowledge management and socialization. Memos versions prior to 0.9.0 are vulnerable to improper authorization, which can allow a user to modify the nickname, username and email of other users…
[github.com/usememos/memos] usememos/memos makes Incorrect Use of Privileged APIs
Incorrect Use of Privileged APIs in GitHub repository usememos/memos prior to 0.9.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4687
https://github.com/usememos/memos/commit/dca35bde877aab6e64ef51b52e590b5d48f692f9
https://huntr.dev/bounties…
[github.com/usememos/memos] usememos/memos Improper Authentication vulnerability
Improper Authentication in GitHub repository usememos/memos prior to 0.9.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4686
https://github.com/usememos/memos/commit/dca35bde877aab6e64ef51b52e590b5d48f692f9
https://huntr.dev/bounties/caa0b22c…
[future] Python Charmers Future denial of service vulnerability
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server. This issue has been patched in version 0.18.3.
References
https://nvd.nist.g…
[wheel] pypa/wheel vulnerable to Regular Expression denial of service (ReDoS)
Python Packaging Authority (PyPA) Wheel is a reference implementation of the Python wheel packaging standard. Wheel 0.37.1 and earlier are vulnerable to a Regular Expression denial of service via attacker controlled input to the wheel cli. The vulnerab…
[setuptools] pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)
Python Packaging Authority (PyPA)’s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package…
[codeigniter4/framework] CodeIgniter4 Potential Session Handlers Vulnerability
Impact
When an application uses (1) multiple session cookies (e.g., one for user pages and one for admin pages) and (2) a session handler is set to DatabaseHandler, MemcachedHandler, or RedisHandler, then if an attacker gets one session cookie (e.g., …
[codeigniter4/framework] CodeIgniter4 allows spoofing of IP address when using proxy
Impact
This vulnerability may allow attackers to spoof their IP address when your server is behind a reverse proxy.
Patches
Upgrade to v4.2.11 or later, and configure Config\App::$proxyIPs.
Workarounds
Do not use $request->getIPAddress().
References…
[github.com/destinygg/chat] destiny.gg chat vulnerable to cross-site request forgery
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in destiny.gg chat. It has been rated as problematic. This issue affects the function websocket.Upgrader of the file main.go. The manipulation leads to cross-site request forgery. The attack may…