Topic

API

A collection of 144 issues

CVE-2021-36830 Stored XSS vulnerability in Comment Guestbook plugin = 0.8.0 at WordPress.

You need to update Comment Guestbook or remove it from your website at once. The latest version is 0.8.5 which was released on November 2, 2018. If you don’t update your plugin or disable commenting feature, then you might be vulnerable to XSS attack. You must be

CVE-2022-39263 The Upstash Redis adapter for Next.js gives authentication to Next.js.

Upstash Redis adapter for NextAuth.js is vulnerable to a session fixation bug, which can be exploited by an attacker to hijack the session. This issue is patched in v3.0.2. A workaround is available. To fix this issue, developers can enable SSL by setting the server's `SSL_VERIFY

CVE-2022-22526 Gavazzi UWP3.0 and CPY Car Park Server 2.8.3 have missing authentication, which allows for full access via API.

To avoid this, you have to force authentication by adding a domain name and password to your API requests. For example: /v2/cars/{id}/drive/{destination}/{start_position}/{end_position}/{duration}. This forces a secure connection via the domain name and password. Unfortunately, this also stops you from using the

CVE-2021-41803 HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 don't validate node or segment names before using it in JWT claim assertions with the auto config RPC.

The above findings indicate that HashiCorp Consul versions 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 are vulnerable to a potential XSS attack. In order to exploit this vulnerability an attacker would need to convince an unsuspecting user to visit a malicious website.

CVE-2022-41218 Driver uses refcount races to affect dvb_demux_open and dvb_dmxdev_release.

Due to limitation in the API, when doing a dvb_demux_close(device) followed by a dvb_device_get(device) from the same device, the latter will fail with: dvb_demux_close(device) =========== ... refcount with dvb_device_get() = 1 dvb_device_get(device) ============== device is freed It happens because dvb_

CVE-2022-37882 Vulnerabilities in the ClearPass Policy Manager web-based interface allow remote attackers to run arbitrary commands on the underlying host.

end users are advised to upgrade their Aruba ClearPass Policy Manager software to the latest version to address these issues. Vulnerability details CVE-2019-1932 The ClearPass Policy Manager web-based interface does not restrict the installation of custom scripts, allowing attackers to execute arbitrary code on the underlying host. The ClearPass Policy

CVE-2022-40806 The d8s-uuids for python included a backdoor from a third party. The democritus-hypothesis package is the backdoor.

It has been confirmed that this vulnerability can be exploited by an attacker to inject arbitrary python commands into any website that uses the d8s-uuids. The attacker would only need to host a d8s-uuids-enabled website on a server that has d8s-uuids installed on its Python installation. The input to the

CVE-2022-3232 Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffweb prior to 2.4.5.

The CSRF vulnerability exists in the GitHub v2.4.5 API. The attacker can submit a request to the victim to change the content on GitHub if they have access to the victim’s account on the repository. Exploitation Access the GitHub repository. Go to Settings, then Authentication. Click on

CVE-2022-36001 TensorFlow is an open source platform for machine learning. When `DrawBoundingBoxes` receives an input without dtype='float' it gives a `CHECK` fail that can trigger a denial of service attack.

We are aware of this issue, and are working on a fix. It is possible that with large numbers of boxes, the inference engine may fail due to memory constraints. When inference fails, the inference endpoint returns a `CHECK` fail. We have observed that inference of the following code snippet

CVE-2022-36014 TensorFlow is an open source platform for machine learning. When it receives null type attributes, it crashes.

You can update to TensorFlow 2.10.0 or TensorFlow 2.9.1 if you are running TensorFlow 2.8.1 or TensorFlow 2.7.2. However, note that TensorFlow 2.10.0 is not backwards compatible. This means your TensorFlow code will not run on TensorFlow 2.9.1