Security
Headlines
HeadlinesLatestCVEs

Tag

#js

CVE-2022-40037: Unrestricted Upload of File with Dangerous Type In /upFile · Issue #2 · rawchen/blog-ssm

An issue discovered in Rawchen blog-ssm v1.0 allows remote attacker to escalate privileges and execute arbitrary commands via the component /upFile.

CVE
Open in Source
#vulnerability#web#mac#windows#apple#linux#js#git#java#auth#chrome#webkit#firefox#ssl
CVE-2022-38775: Security issues

An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

CVE-2022-21810: Snyk Vulnerability Database | Snyk

All versions of the package smartctl are vulnerable to Command Injection via the info method due to improper input sanitization.

CVE-2022-3478: Sidekiq background job DoS by uploading malicious Nuget packages (#377788) · Issues · GitLab.org / GitLab · GitLab

An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious nuget package.

CVE-2022-3482: Release names visible in public projects despite release set as project members only (#377802) · Issues · GitLab.org / GitLab · GitLab

An improper access control issue in GitLab CE/EE affecting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allowed an unauthorized user to see release names even when releases we set to be restricted to project members only

CVE-2022-3572: 2022/CVE-2022-3572.json · master · GitLab.org / cves · GitLab

A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims.

CVE-2022-3820: 2022/CVE-2022-3820.json · master · GitLab.org / cves · GitLab

An issue has been discovered in GitLab affecting all versions starting from 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location.

CVE-2022-26329: Software Fixes - NetIQ Identity Manager 4.8 Service Pack 5 Release Notes

File existence disclosure vulnerability in NetIQ Identity Manager plugin prior to version 4.8.5 allows attacker to determine whether a file exists on the filesystem. This issue affects: Micro Focus NetIQ Identity Manager NetIQ Identity Manager versions prior to 4.8.5 on ALL.

CVE-2021-36539: unrestricted access with canvadoc_session_url · Issue #1905 · instructure/canvas-lms

Instructure Canvas LMS didn't properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url).

CVE-2022-25962: Snyk Vulnerability Database | Snyk

All versions of the package vagrant.js are vulnerable to Command Injection via the boxAdd function due to improper input sanitization.