Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-56m6-4mhw-h3g5: langflow has vulnerability in PythonCodeTool component

langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.

ghsa
#vulnerability#web#rce#auth
GHSA-p3vf-v8qc-cwcr: DOMPurify vulnerable to tampering by prototype polution

dompurify was vulnerable to prototype pollution Fixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc

GHSA-2qw8-ppr5-m96c: Apache Lucene.Net.Replicator Deserialization of Untrusted Data vulnerability

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.

GHSA-fq9m-v26v-2m4f: lilconfig Code Injection vulnerability

Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function.

GHSA-mcw3-h5xg-r95m: JeecgBoot SQL Injection vulnerability

JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component `/onlDragDatasetHead/getTotalData`.

GHSA-99wr-c2px-grmh: Hashicorp Consul Cross-site Scripting vulnerability

A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.

GHSA-5c4w-8hhh-3c3h: Hashicorp Consul Improper Neutralization of HTTP Headers for Scripting Syntax vulnerability

A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using Headers in L7 traffic intentions could bypass HTTP header based access rules.

GHSA-chgm-7r52-whjj: Hashicorp Consul Path Traversal vulnerability

A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules.

GHSA-pjhx-j53p-c5f5: ThinkPHP deserialization vulnerability

A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.

GHSA-24mc-gc52-47jv: ICG.AspNetCore.Utilities.CloudStorage's Secure Token Durations Different Than Expected

### Impact Users of this library that set a duration for a SAS Uri with a value other than 1 hour may have generated a URL with a duration that is longer, or shorter than desired. Users not implemented SAS Uri's are unaffected. ### Patches This issue was resolved in version 8.0.0 of the library, all users should update to this version ASAP. ### Workarounds None