π¨ CVE-2022-0406
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
π@cveNotify
Improper Authorization in GitHub repository janeczku/calibre-web prior to 0.6.16.
π@cveNotify
GitHub
Upates for new release Β· janeczku/calibre-web@e0e0422
:books: Web app for browsing, reading and downloading eBooks stored in a Calibre database - Upates for new release Β· janeczku/calibre-web@e0e0422
π¨ CVE-2022-0939
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
GitHub
Better epub cover parsing with multiple cover-image items Β· janeczku/calibre-web@4545f4a
Code cosmetics
renamed variables
refactored xml page generation
refactored prepare author
renamed variables
refactored xml page generation
refactored prepare author
π¨ CVE-2022-0990
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.18.
π@cveNotify
GitHub
Better epub cover parsing with multiple cover-image items Β· janeczku/calibre-web@4545f4a
Code cosmetics
renamed variables
refactored xml page generation
refactored prepare author
renamed variables
refactored xml page generation
refactored prepare author
π¨ CVE-2022-2525
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
Improper Restriction of Excessive Authentication Attempts in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
GitHub
** Be careful, after updating, there is no way back ** Β· janeczku/calibre-web@49e4f54
** Please install flask-limiter after updating **
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
π¨ CVE-2023-2106
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20.
π@cveNotify
GitHub
** Be careful, after updating, there is no way back ** Β· janeczku/calibre-web@49e4f54
** Please install flask-limiter after updating **
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
Update Teststatus
Bugfix after merge
Bugfix generate Metadata backup
π¨ CVE-2024-44206
An issue in the handling of URL protocols was addressed with improved logic. This issue is fixed in tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A user may be able to bypass some web content restrictions.
π@cveNotify
An issue in the handling of URL protocols was addressed with improved logic. This issue is fixed in tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A user may be able to bypass some web content restrictions.
π@cveNotify
Apple Support
About the security content of iOS 17.6 and iPadOS 17.6 - Apple Support
This document describes the security content of iOS 17.6 and iPadOS 17.6.
π¨ CVE-2024-23715
In PMRWritePMPageList of pmr.c, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify
In PMRWritePMPageList of pmr.c, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify
π¨ CVE-2022-31667
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesnβt have access to.
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesnβt have access to, it was possible to revoke the robot account permissions.
π@cveNotify
Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesnβt have access to.
By sending a request that attempts to update a robot account, and specifying a robot account id and robot account name that belongs to a different project that the user doesnβt have access to, it was possible to revoke the robot account permissions.
π@cveNotify
GitHub
Harbor fails to validate the user permissions when updating a robot account
### Impact
Harbor fails to validate the user permissions when updating a robot account that
belongs to a project that the authenticated user doesnβt have access to. API call:
PUT /robots/{robo...
Harbor fails to validate the user permissions when updating a robot account that
belongs to a project that the authenticated user doesnβt have access to. API call:
PUT /robots/{robo...
π¨ CVE-2022-31668
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
π@cveNotify
Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the attacker could modify p2p preheat policies configured in other projects.
π@cveNotify
GitHub
Harbor fails to validate the user permissions when updating p2p preheat policies
### Impact
Harbor fails to validate the user permissions when updating p2p preheat policies - API call
PUT /projects/{project_name}/preheat/policies/{preheat_policy_name}
By sending a req...
Harbor fails to validate the user permissions when updating p2p preheat policies - API call
PUT /projects/{project_name}/preheat/policies/{preheat_policy_name}
By sending a req...
π¨ CVE-2022-31669
Harbor fails to validate the user permissions when updating tag immutability policies.
By sending a request to update a tag immutability policy with an id that belongs to a
project that the currently authenticated user doesnβt have access to, the attacker could
modify tag immutability policies configured in other projects.
π@cveNotify
Harbor fails to validate the user permissions when updating tag immutability policies.
By sending a request to update a tag immutability policy with an id that belongs to a
project that the currently authenticated user doesnβt have access to, the attacker could
modify tag immutability policies configured in other projects.
π@cveNotify
GitHub
Harbor fails to validate the user permissions when updating tag immutability policies
### Impact
Harbor fails to validate the user permissions when updating tag immutability policies - API call:
PUT /projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id}
By sen...
Harbor fails to validate the user permissions when updating tag immutability policies - API call:
PUT /projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id}
By sen...
π¨ CVE-2022-31670
Harbor fails to validate the user permissions when updating tag retention policies.
By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesnβt have access to, the attacker could modify
tag retention policies configured in other projects.
π@cveNotify
Harbor fails to validate the user permissions when updating tag retention policies.
By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesnβt have access to, the attacker could modify
tag retention policies configured in other projects.
π@cveNotify
GitHub
Harbor fails to validate the user permissions when updating tag retention policies
### Impact
Harbor fails to validate the user permissions when updating tag retention policies. API call:
PUT /retentions/{id}
By sending a request to update a tag retention policy with an...
Harbor fails to validate the user permissions when updating tag retention policies. API call:
PUT /retentions/{id}
By sending a request to update a tag retention policy with an...
π¨ CVE-2021-3991
An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.
π@cveNotify
An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.
π@cveNotify
GitHub
Debug permission on supplier order. Β· Dolibarr/dolibarr@63cd063
Fix #huntr58ddbd8a-0faf-4b3f-aec9-5850bb19ab67
π¨ CVE-2022-1226
A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts.
π@cveNotify
A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. This vulnerability affects the import Data set feature via a spreadsheet file upload. The affected endpoints include import-vlan-preview.php, import-subnets-preview.php, import-vrf-preview.php, import-ipaddr-preview.php, import-devtype-preview.php, import-devices-preview.php, and import-l2dom-preview.php. The vulnerability can be exploited by uploading a specially crafted spreadsheet file containing malicious JavaScript payloads, which are then executed in the context of the victim's browser. This can lead to defacement of websites, execution of malicious JavaScript code, stealing of user cookies, and unauthorized access to user accounts.
π@cveNotify
GitHub
Bugfix: XSS (reflected) in import previews Β· phpipam/phpipam@50e36b9
Reported by Faisal Fs <faisalfs10x@gmail.com>
π¨ CVE-2016-7514
The ReadPSDChannelPixels function in coders/psd.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PSD file.
π@cveNotify
The ReadPSDChannelPixels function in coders/psd.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PSD file.
π@cveNotify
π¨ CVE-2024-1367
A command injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Logging parameters, which could lead to the execution of arbitrary code on the Security Center host.
π@cveNotify
A command injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Logging parameters, which could lead to the execution of arbitrary code on the Security Center host.
π@cveNotify
π¨ CVE-2024-1471
An HTML injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Repository parameters, which could lead to HTML redirection attacks.
π@cveNotify
An HTML injection vulnerability exists where an authenticated, remote attacker with administrator privileges on the Security Center application could modify Repository parameters, which could lead to HTML redirection attacks.
π@cveNotify
π¨ CVE-2024-9409
CWE-400: An Uncontrolled Resource Consumption vulnerability exists that could cause the device to become
unresponsive resulting in communication loss when a large amount of IGMP packets is present in the network.
π@cveNotify
CWE-400: An Uncontrolled Resource Consumption vulnerability exists that could cause the device to become
unresponsive resulting in communication loss when a large amount of IGMP packets is present in the network.
π@cveNotify
π¨ CVE-2024-52268
Cross-site scripting vulnerability exists in VK All in One Expansion Unit versions prior to 9.100.1.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing the web site using the product.
π@cveNotify
Cross-site scripting vulnerability exists in VK All in One Expansion Unit versions prior to 9.100.1.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing the web site using the product.
π@cveNotify
jvn.jp
JVN#05136799: WordPress Plugin "VK All in One Expansion Unit" vulnerable to cross-site scripting
Japan Vulnerability Notes
π¨ CVE-2024-10877
The AFI β The Easiest Integration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.92.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
π@cveNotify
The AFI β The Easiest Integration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.92.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
π@cveNotify
π¨ CVE-2020-11001
In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision
comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail
admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform
actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to
the Wagtail admin.
Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).
π@cveNotify
In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision
comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail
admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform
actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to
the Wagtail admin.
Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).
π@cveNotify
GitHub
Possible XSS attack via page revision comparison view
### Impact
A cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtai...
A cross-site scripting (XSS) vulnerability exists on the page revision comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtai...