Total
258800 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-22796 | 1 Activesupport Project | 1 Activesupport | 2024-02-02 | N/A | 7.5 HIGH |
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability. | |||||
CVE-2023-22795 | 3 Debian, Ruby-lang, Rubyonrails | 3 Debian Linux, Ruby, Rails | 2024-02-02 | N/A | 7.5 HIGH |
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. | |||||
CVE-2023-22794 | 1 Activerecord Project | 1 Activerecord | 2024-02-02 | N/A | 8.8 HIGH |
A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment. | |||||
CVE-2023-22792 | 1 Rubyonrails | 1 Rails | 2024-02-02 | N/A | 7.5 HIGH |
A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. | |||||
CVE-2021-22942 | 1 Rubyonrails | 1 Rails | 2024-02-02 | 5.8 MEDIUM | 6.1 MEDIUM |
A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. | |||||
CVE-2009-1955 | 7 Apache, Apple, Canonical and 4 more | 7 Apr-util, Mac Os X, Ubuntu Linux and 4 more | 2024-02-02 | 5.0 MEDIUM | 7.5 HIGH |
The expat XML parser in the apr_xml_* interface in xml/apr_xml.c in Apache APR-util before 1.3.7, as used in the mod_dav and mod_dav_svn modules in the Apache HTTP Server, allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, as demonstrated by a PROPFIND request, a similar issue to CVE-2003-1564. | |||||
CVE-2003-1564 | 1 Xmlsoft | 1 Libxml2 | 2024-02-02 | 9.3 HIGH | 6.5 MEDIUM |
libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack." | |||||
CVE-2007-1285 | 2 Php, Zend | 2 Php, Engine | 2024-02-02 | 5.0 MEDIUM | 7.5 HIGH |
The Zend Engine in PHP 4.x before 4.4.7, and 5.x before 5.2.2, allows remote attackers to cause a denial of service (stack exhaustion and PHP crash) via deeply nested arrays, which trigger deep recursion in the variable destruction routines. | |||||
CVE-2004-0747 | 1 Apache | 1 Http Server | 2024-02-02 | 4.6 MEDIUM | 7.8 HIGH |
Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables. | |||||
CVE-2004-1363 | 1 Oracle | 9 Application Server, Collaboration Suite, E-business Suite and 6 more | 2024-02-02 | 7.2 HIGH | 9.8 CRITICAL |
Buffer overflow in extproc in Oracle 10g allows remote attackers to execute arbitrary code via environment variables in the library name, which are expanded after the length check is performed. | |||||
CVE-2005-3120 | 1 University Of Kansas | 1 Lynx | 2024-02-02 | 7.5 HIGH | 9.8 CRITICAL |
Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters. | |||||
CVE-2023-33786 | 1 Netbox Project | 1 Netbox | 2024-02-02 | N/A | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in the Create Circuit Types (/circuits/circuit-types/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | |||||
CVE-2023-33790 | 1 Netbox Project | 1 Netbox | 2024-02-02 | N/A | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in the Create Locations (/dcim/locations/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | |||||
CVE-2023-33787 | 1 Netbox Project | 1 Netbox | 2024-02-02 | N/A | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in the Create Tenant Groups (/tenancy/tenant-groups/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | |||||
CVE-2023-33785 | 1 Netbox Project | 1 Netbox | 2024-02-02 | N/A | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in the Create Rack Roles (/dcim/rack-roles/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | |||||
CVE-2023-33795 | 1 Netbox Project | 1 Netbox | 2024-02-02 | N/A | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in the Create Contact Roles (/tenancy/contact-roles/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | |||||
CVE-2019-25011 | 1 Netbox Project | 1 Netbox | 2024-02-02 | 3.5 LOW | 5.4 MEDIUM |
NetBox through 2.6.2 allows an Authenticated User to conduct an XSS attack against an admin via a GFM-rendered field, as demonstrated by /dcim/sites/add/ comments. | |||||
CVE-2023-33788 | 1 Netbox Project | 1 Netbox | 2024-02-02 | N/A | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in the Create Providers (/circuits/providers/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | |||||
CVE-2023-33797 | 1 Netbox Project | 1 Netbox | 2024-02-02 | N/A | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in the Create Sites (/dcim/sites/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. | |||||
CVE-2023-33793 | 1 Netbox Project | 1 Netbox | 2024-02-02 | N/A | 5.4 MEDIUM |
A stored cross-site scripting (XSS) vulnerability in the Create Power Panels (/dcim/power-panels/) function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field. |