βΌ CVE-2023-44168 βΌ
π Read
via "National Vulnerability Database".
The 'phone' parameter of the process_registration.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-43662 βΌ
π Read
via "National Vulnerability Database".
ShokoServer is a media server which specializes in organizing anime. In affected versions the `/api/Image/WithPath` endpoint is accessible without authentication and is supposed to return default server images. The endpoint accepts the parameter `serverImagePath`, which is not sanitized in any way before being passed to `System.IO.File.OpenRead`, which results in an arbitrary file read. This issue may lead to an arbitrary file read which is exacerbated in the windows installer which installs the ShokoServer as administrator. Any unauthenticated attacker may be able to access sensitive information and read files stored on the server. The `/api/Image/WithPath` endpoint has been removed in commit `6c57ba0f0` which will be included in subsequent releases. Users should limit access to the `/api/Image/WithPath` endpoint or manually patch their installations until a patched release is made. This issue was discovered by the GitHub Security lab and is also indexed as GHSL-2023-191.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44165 βΌ
π Read
via "National Vulnerability Database".
The 'Password' parameter of the process_login.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44166 βΌ
π Read
via "National Vulnerability Database".
The 'age' parameter of the process_registration.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44167 βΌ
π Read
via "National Vulnerability Database".
The 'name' parameter of the process_registration.php resourcedoes not validate the characters received and theyare sent unfiltered to the database.π Read
via "National Vulnerability Database".
βΌ CVE-2023-4532 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2233 βΌ
π Read
via "National Vulnerability Database".
An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-3906 βΌ
π Read
via "National Vulnerability Database".
An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44464 βΌ
π Read
via "National Vulnerability Database".
pretix before 2023.7.2 allows Pillow to parse EPS files.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3922 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page.π Read
via "National Vulnerability Database".
βΌ CVE-2023-0989 βΌ
π Read
via "National Vulnerability Database".
An information disclosure issue in GitLab CE/EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3914 βΌ
π Read
via "National Vulnerability Database".
A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3979 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge requestΓ’β¬β’s source branch.π Read
via "National Vulnerability Database".
βΌ CVE-2023-5198 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26147 βΌ
π Read
via "National Vulnerability Database".
All versions of the package ithewei/libhv are vulnerable to HTTP Response Splitting when untrusted user input is used to build headers values. An attacker can add the \r\n (carriage return line feeds) characters to end the HTTP response headers and inject malicious content, like for example additional headers or new response body, leading to a potential XSS vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2023-44466 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in net/ceph/messenger_v2.c in the Linux kernel before 6.4.5. There is an integer signedness error, leading to a buffer overflow and remote code execution via HELLO or one of the AUTH frames. This occurs because of an untrusted length taken from a TCP packet in ceph_decode_32.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3413 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3917 βΌ
π Read
via "National Vulnerability Database".
Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail.π Read
via "National Vulnerability Database".
βΌ CVE-2023-3920 βΌ
π Read
via "National Vulnerability Database".
An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26148 βΌ
π Read
via "National Vulnerability Database".
All versions of the package ithewei/libhv are vulnerable to CRLF Injection when untrusted user input is used to set request headers. An attacker can add the \r\n (carriage return line feeds) characters and inject additional headers in the request sent.π Read
via "National Vulnerability Database".
βΌ CVE-2023-30591 βΌ
π Read
via "National Vulnerability Database".
Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking `eventName.startsWith()` or `eventName.toString()`, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively.π Read
via "National Vulnerability Database".