Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-q4qm-xhf9-4p8f: Authorization bypass in Flower

Flower, a web UI for the Celery Python RPC framework, all versions as of 05-02-2022 is vulnerable to an OAuth authentication bypass. An attacker could then access the Flower API to discover and invoke arbitrary Celery RPC calls or deny service by shutting down Celery task nodes.

ghsa
#web#git#oauth#auth
GHSA-23f2-vgr6-fwv7: Command injection in librenms

LibreNMS v22.3.0 was discovered to contain multiple command injection vulnerabilities via the service_ip, hostname, and service_param parameters.

GHSA-8rp2-j3vj-hgj4: Cross site scripting in Jfinal

A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted X-Forwarded-For request.

GHSA-fp36-299x-pwmw: Regular expression denial of service in devcert

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method

GHSA-mmh6-m7v9-5956: Regular expression denial of service in markdown-link-extractor

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the markdown-link-extractor npm package, when an attacker is able to supply arbitrary input to the module's exported function

GHSA-4x5v-gmq8-25ch: Regular expression denial of service in semver-regex

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

GHSA-gwp3-f7mr-qpfv: OS Command Injection in s3-uploader

OS command injection vulnerability in Turistforeningen node-s3-uploader through 2.0.3 for Node.js allows attackers to execute arbitrary commands via the metadata() function.

GHSA-j9m2-h2pv-wvph: Regular expression denial of service in jquery-validation

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method

GHSA-7xhv-mpjw-422f: Command injection in google-it

Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google-it will unsafely concat the result's link retrieved from google to a shell command, potentially exposing the server to RCE.

GHSA-cv76-rv4h-4mqc: OS Command Injection in proctree

OS Command Injection vulnerability in allenhwkim proctree through 0.1.1 and commit 0ac10ae575459457838f14e21d5996f2fa5c7593 for Node.js, allows attackers to execute arbitrary commands via the fix function.