Total
263 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-42948 | 1 Helpsystems | 1 Cobalt Strike | 2025-02-07 | N/A | 9.8 CRITICAL |
| Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI. | |||||
| CVE-2024-9427 | 2025-02-07 | N/A | 5.4 MEDIUM | ||
| A vulnerability in Koji was found. An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the resulting web page. It is not expected to be able to submit an action or make a change in Koji due to existing XSS protections in the code | |||||
| CVE-2023-31669 | 1 Webassembly | 1 Webassembly Binary Toolkit | 2025-01-31 | N/A | 5.5 MEDIUM |
| WebAssembly wat2wasm v1.0.32 allows attackers to cause a libc++abi.dylib crash by putting '@' before a quote ("). | |||||
| CVE-2024-22356 | 1 Ibm | 3 App Connect Enterprise, Integration Bus, Z\/os | 2025-01-28 | N/A | 4.9 MEDIUM |
| IBM App Connect Enterprise 11.0.0.1 through 11.0.0.23, 12.0.1.0 through 12.0.9.0 and IBM Integration Bus for z/OS 10.1 through 10.1.0.2store potentially sensitive information in log or trace files that could be read by a privileged user. IBM X-Force ID: 280893. | |||||
| CVE-2025-24025 | 2025-01-24 | N/A | 6.1 MEDIUM | ||
| Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.380, the tags page allows users to search for tags. If the search does not return any results, the query gets reflected on the error modal, which leads to cross-site scripting. Version 4.0.0-beta.380 fixes the issue. | |||||
| CVE-2024-52006 | 2025-01-21 | N/A | N/A | ||
| Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. | |||||
| CVE-2024-50349 | 2025-01-21 | N/A | N/A | ||
| Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. | |||||
| CVE-2024-34355 | 1 Typo3 | 1 Typo3 | 2025-01-21 | N/A | 3.5 LOW |
| TYPO3 is an enterprise content management system. Starting in version 13.0.0 and prior to version 13.1.1, the history backend module is vulnerable to HTML injection. Although Content-Security-Policy headers effectively prevent JavaScript execution, adversaries can still inject malicious HTML markup. Exploiting this vulnerability requires a valid backend user account. TYPO3 version 13.1.1 fixes the problem described. | |||||
| CVE-2024-56277 | 2025-01-21 | N/A | 5.3 MEDIUM | ||
| Improper Encoding or Escaping of Output vulnerability in Poll Maker Team Poll Maker. This issue affects Poll Maker: from n/a through n/a. | |||||
| CVE-2025-23207 | 2025-01-17 | N/A | 6.3 MEDIUM | ||
| KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to remove this vulnerability. Users unable to upgrade should avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands, forbid inputs containing the substring `"\\htmlData"` and sanitize HTML output from KaTeX. | |||||
| CVE-2024-0690 | 2 Fedoraproject, Redhat | 6 Fedora, Ansible, Ansible Automation Platform and 3 more | 2025-01-17 | N/A | 5.0 MEDIUM |
| An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values. | |||||
| CVE-2024-52005 | 2025-01-15 | N/A | N/A | ||
| Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources. | |||||
| CVE-2022-22399 | 1 Ibm | 1 Aspera Faspex | 2025-01-14 | N/A | 5.4 MEDIUM |
| IBM Aspera Faspex 5.0.0 and 5.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 222562. | |||||
| CVE-2018-8920 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 6.5 MEDIUM | 7.2 HIGH |
| Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format. | |||||
| CVE-2023-29543 | 1 Mozilla | 2 Firefox, Focus | 2025-01-10 | N/A | 8.8 HIGH |
| An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112. | |||||
| CVE-2023-29541 | 1 Mozilla | 4 Firefox, Firefox Esr, Focus and 1 more | 2025-01-10 | N/A | 8.8 HIGH |
| Firefox did not properly handle downloads of files ending in <code>.desktop</code>, which can be interpreted to run attacker-controlled commands. <br>*This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions.*. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10. | |||||
| CVE-2024-55663 | 1 Xwiki | 1 Xwiki | 2025-01-10 | N/A | 9.8 CRITICAL |
| XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This has been patched in 13.10.5 and 14.3-rc-1. There is no known workaround, other than upgrading XWiki. | |||||
| CVE-2024-10006 | 1 Hashicorp | 1 Consul | 2025-01-10 | N/A | 8.3 HIGH |
| A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. | |||||
| CVE-2023-28362 | 2025-01-09 | N/A | 4.0 MEDIUM | ||
| The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. | |||||
| CVE-2023-28952 | 1 Ibm | 1 Cognos Controller | 2025-01-07 | N/A | 5.3 MEDIUM |
| IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data. IBM X-Force ID: 251463. | |||||