Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in p…
[org.apache.dolphinscheduler:dolphinscheduler] Apache DolphinScheduler vulnerable to Improper Input Validation
Apache DolphinScheduler improperly validates script alert plugin parameters and is vulnerable to remote command execution. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions. Users should upgra…
[innologi/typo3-appointments] typo3-appointments vulnerable to Cross-site Scripting
A vulnerability, which was classified as problematic, was found in innologi appointments Extension up to 2.0.5. This affects an unknown part of the component Appointment Handler. The manipulation of the argument formfield leads to cross site scripting….
[httparty] httparty has multipart/form-data request tampering vulnerability
Impact
I found “multipart/form-data request tampering vulnerability” caused by Content-Disposition “filename” lack of escaping in httparty.
httparty/lib/httparty/request > body.rb > def generate_multipart
https://github.com/jnunemaker/httparty/bl…
[simplesamlphp/simplesamlphp-module-openid] SimpleSAMLphp simplesamlphp-module-openid
A vulnerability classified as problematic has been found in SimpleSAMLphp simplesamlphp-module-openid. Affected is an unknown function of the file templates/consumer.php of the component OpenID Handler. The manipulation of the argument AuthState leads …
[rgb2hex] rgb2hex vulnerable to inefficient regular expression complexity
A vulnerability was found in rgb2hex up to 0.1.5. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. Upgrading to vers…
[keynote] keynote Cross-site Scripting vulnerability
A vulnerability was found in rf Keynote up to 0.x. It has been rated as problematic. Affected by this issue is some unknown functionality of the file lib/keynote/rumble.rb. The manipulation of the argument value leads to cross site scripting. The attac…
[froxlor/froxlor] Froxlor Improper Authorization vulnerability
Improper Authorization in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4868
https://github.com/froxlor/froxlor/commit/0527f22dc942483430f8449e25a096bb8d683a5d
https://huntr.dev/bounties/3…
[vova07/yii2-fileapi-widget] Yii2 FileAPI Widget vulnerable to Cross-site Scripting
A vulnerability was found in vova07 Yii2 FileAPI Widget up to 0.1.8. It has been declared as problematic. Affected by this vulnerability is the function run of the file actions/UploadAction.php. The manipulation of the argument file leads to cross site…
[froxlor/froxlor] Froxlor vulnerable to Cross-Site Request Forgery
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4867
https://github.com/froxlor/froxlor/commit/f7f356e896173558248c43f4f68612f78e73a65d
https://huntr.dev…