Security Advisories | Ecosyste.ms: OpenCollective

High

phpseclib: GSA_kwCzR0hTQS1qcHI3LXE1MjMtaHgyNc4AA3X2

phpseclib vulnerable to denial of service
Ecosystems: packagist
Packages: phpseclib/phpseclib
Source: github
Published: about 1 year ago

Moderate

uptime-kuma: GSA_kwCzR0hTQS1oZnhoLXJqdjctMjM2Oc4AA3Xr

Uptime Kuma Authenticated remote code execution via TailscalePing
Ecosystems: npm
Packages: uptime-kuma
Source: github
Published: about 1 year ago

Moderate

uptime-kuma: GSA_kwCzR0hTQS12NHYyLThoODgtNjVxas4AA3W6

Attribute Injection leading to XSS(Cross-Site-Scripting)
Ecosystems: npm
Packages: uptime-kuma
Source: github
Published: about 1 year ago

Moderate

bc-java: GSA_kwCzR0hTQS13anhqLTVtN2ctbWc3cc4AA3WZ

Bouncy Castle Denial of Service (DoS)
Ecosystems: maven
Packages: org.bouncycastle:bcprov-jdk15on, org.bouncycastle:bcprov-jdk16, org.bouncycastle:bcprov-jdk15to18, org.bouncycastle:bcprov-jdk15, org.bouncycastle:bcprov-jdk14, org.bouncycastle:bcprov-ext-jdk16, org.bouncycastle:bcprov-ext-jdk15on, org.bouncycastle:bcpkix-jdk18on, org.bouncycastle:bcprov-jdk18on
Source: github
Published: about 1 year ago

Moderate

next-auth: GSA_kwCzR0hTQS12NjR3LTQ5eHctcXE4Oc4AA3R1

Possible user mocking that bypasses basic authentication
Ecosystems: npm
Packages: next-auth
Source: github
Published: about 1 year ago

Moderate

librenms: GSA_kwCzR0hTQS1mcHE1LTR2d20tNzh4NM4AA3P3

LibreNMS has Broken Access control on Graphs Feature
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: about 1 year ago

Moderate

librenms: GSA_kwCzR0hTQS04cGhyLTYzN2ctcHhyZ84AA3P2

LibreNMS Cross-site Scripting at Device groups Deletion feature
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: about 1 year ago

Moderate

vendure: GSA_kwCzR0hTQS13bTYzLTc2MjctY2gzM84AA3P1

@vendure/core's insecure currencyCode handling allows wrong payment amounts
Ecosystems: npm
Packages: @vendure/core
Source: github
Published: about 1 year ago

Moderate

librenms: GSA_kwCzR0hTQS1ycTQyLTU4cWYtdjNxeM4AA3Pz

LibreNMS vulnerable to rate limiting bypass on login page
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: about 1 year ago

High

yii: GSA_kwCzR0hTQS1tdzJ3LTJoajItZmc4cc4AA3Kz

yiisoft/yii deserializing untrusted user input can lead to remote code execution
Ecosystems: packagist
Packages: yiisoft/yii
Source: github
Published: about 1 year ago

Moderate

microweber: GSA_kwCzR0hTQS1xNTdnLTM4cGMtand2OM4AA3IQ

Microweber Improper Access Control vulnerability
Ecosystems: packagist
Packages: microweber/microweber
Source: github
Published: about 1 year ago

Moderate

axios: GSA_kwCzR0hTQS13ZjVwLWc2dnctcmh4eM4AA2_y

Axios Cross-Site Request Forgery Vulnerability
Ecosystems: npm
Packages: axios
Source: github
Published: about 1 year ago

Moderate

microweber: GSA_kwCzR0hTQS1qbXdtLXcycm0tcHJ2Oc4AA2_o

Microweber Cross-site Scripting vulnerability
Ecosystems: packagist
Packages: microweber/microweber
Source: github
Published: about 1 year ago

High

strapi: GSA_kwCzR0hTQS1nYzdwLWo1eG0teHhoMs4AA26o

Unauthorized Access to Private Fields in User Registration API
Ecosystems: npm
Packages: @strapi/strapi, @strapi/plugin-users-permissions
Source: github
Published: about 1 year ago

High

subrion: GSA_kwCzR0hTQS0yeDI4LWM3ajctMjNnds4AA26P

Subrion remote command execution vulnerability
Ecosystems: packagist
Packages: intelliants/subrion
Source: github
Published: about 1 year ago

Moderate

phpbb: GSA_kwCzR0hTQS1nbXg4LThyZmYtcXY2cc4AA231

phpBB's Smiley Pack acp_icons.php main pack vulnerable to cross site scripting
Ecosystems: packagist
Packages: phpbb/phpbb
Source: github
Published: about 1 year ago

High

dolibarr: GSA_kwCzR0hTQS1yOWNtLXB3OWotM2ZweM4AA21l

Dolibarr Improper Input Validation vulnerability
Ecosystems: packagist
Packages: dolibarr/dolibarr
Source: github
Published: about 1 year ago

Moderate

dolibarr: GSA_kwCzR0hTQS00OHYyLTU5NngtNGpyOc4AA21m

Dolibarr Improper Input Validation vulnerability
Ecosystems: packagist
Packages: dolibarr/dolibarr
Source: github
Published: about 1 year ago

Moderate

pypdf: GSA_kwCzR0hTQS13amNjLWNxNzktcDYzZs4AA21E

Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF
Ecosystems: pypi
Packages: pypdf
Source: github
Published: about 1 year ago

High

generator-jhipster: GSA_kwCzR0hTQS00Z3BtLXIyM2gtZ3Byd84AA2zp

generator-jhipster allows a timing attack against validateToken due to a string comparison that stops at the first character
Ecosystems: npm
Packages: generator-jhipster
Source: github
Published: about 1 year ago

Moderate

microweber: GSA_kwCzR0hTQS03cTVmLTI5Z3gtNTdmZs4AA2zg

Cross-site Scripting (XSS) in microweber/microweber
Ecosystems: packagist
Packages: microweber/microweber
Source: github
Published: about 1 year ago

Moderate

jumpserver: GSA_kwCzR0hTQS00cjV4LXgyODMtd205Ns4AA2oW

Jumpserver Koko vulnerable to remote code execution on the host system via MongoDB shell
Ecosystems: go
Packages: github.com/jumpserver/koko
Source: github
Published: about 1 year ago

High

parse-server: GSA_kwCzR0hTQS03OTJxLXE2N2gtdzU3Oc4AA2oK

Parse Server may crash when uploading file without extension
Ecosystems: npm
Packages: parse-server
Source: github
Published: about 1 year ago

High

pdm: GSA_kwCzR0hTQS1qNDR2LW1tZjIteHZtOc4AA2mh

PDM Trojan Lockfile
Ecosystems: pypi
Packages: pdm
Source: github
Published: about 1 year ago

High

tauri: GSA_kwCzR0hTQS0ycmNwLWp2cjQtcjI1Oc4AA2mV

Tauri's Updater Private Keys Possibly Leaked via Vite Environment Variables
Ecosystems: cargo, npm
Packages: tauri-cli, @tauri-apps/cli
Source: github
Published: about 1 year ago

Low

wagtail: GSA_kwCzR0hTQS1mYzc1LTU4cjgtcm0zaM4AA2kA

Wagtail vulnerable to disclosure of user names via admin bulk action views
Ecosystems: pypi
Packages: wagtail
Source: github
Published: about 1 year ago

Moderate

urllib3: GSA_kwCzR0hTQS1nNG14LXE5dmctMjdwNM4AA2gt

urllib3's request body not stripped after redirect from 303 status changes request method to GET
Ecosystems: pypi
Packages: urllib3
Source: github
Published: about 1 year ago

High

fiber: GSA_kwCzR0hTQS1tdjczLWY2OXgtNDQ0cM4AA2gQ

Go Fiber CSRF Token Validation Vulnerability
Ecosystems: go
Packages: github.com/gofiber/fiber/v2
Source: github
Published: about 1 year ago

Critical

fiber: GSA_kwCzR0hTQS05NHc5LTk3cDMtcDM2OM4AA2gP

CSRF Token Reuse Vulnerability
Ecosystems: go
Packages: github.com/gofiber/fiber/v2
Source: github
Published: about 1 year ago

Low

undici: GSA_kwCzR0hTQS13cXE0LTV3cHYtbXgyZ84AA2eY

Undici's cookie header not cleared on cross-origin redirect in fetch
Ecosystems: npm
Packages: undici
Source: github
Published: about 1 year ago

Critical

babel: GSA_kwCzR0hTQS02N2h4LTZ4NTMtanc5Ms4AA2eW

Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Ecosystems: npm
Packages: babel-traverse, @babel/traverse
Source: github
Published: about 1 year ago

High

librenms: GSA_kwCzR0hTQS1tcjZoLTd4Mm0tcmdtcc4AA2dG

SQL injection in librenms/librenms
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: about 1 year ago

Moderate

urllib3: GSA_kwCzR0hTQS1nd3ZtLTQ1Z3gtM2NmOM4AA2c6

Authorization Header forwarded on redirect
Ecosystems: pypi
Packages: urllib3
Source: github
Published: about 1 year ago

High

uptime-kuma: GSA_kwCzR0hTQS1nOXYyLXdxY2otajk5Z84AA2X4

Uptime Kuma has Persistentent User Sessions
Ecosystems: npm
Packages: uptime-kuma
Source: github
Published: about 1 year ago

High

decidim: GSA_kwCzR0hTQS02MzloLTg2aHctcWNqcc4AA2Qo

Decidim has broken access control in templates
Ecosystems: rubygems
Packages: decidim, decidim-templates
Source: github
Published: about 1 year ago

High

urllib3: GSA_kwCzR0hTQS12ODQ1LWp4eDUtdmM5Zs4AA2MD

`Cookie` HTTP header isn't stripped on cross-origin redirects
Ecosystems: pypi
Packages: urllib3
Source: github
Published: about 1 year ago

Moderate

wallabag: GSA_kwCzR0hTQS01NmZtLWhmcDMteDN3M84AA2MC

Wallabag user can disable 2FA unintentionally
Ecosystems: packagist
Packages: wallabag/wallabag
Source: github
Published: about 1 year ago

Moderate

microweber: GSA_kwCzR0hTQS1yNjU3LTN3cWgtZzJ4Oc4AA2Jx

Microweber uses hard coded credentials
Ecosystems: packagist
Packages: microweber/microweber
Source: github
Published: about 1 year ago

Moderate

postcss: GSA_kwCzR0hTQS03Zmg1LTY0cDItM3Yyas4AA2Js

PostCSS line return parsing error
Ecosystems: npm
Packages: postcss
Source: github
Published: about 1 year ago

High

electron: GSA_kwCzR0hTQS1xcXZxLTZ4Z2otanc4Z84AA2IC

Electron affected by libvpx's heap buffer overflow in vp8 encoding
Ecosystems: npm
Packages: electron
Source: github
Published: about 1 year ago

Moderate

microweber: GSA_kwCzR0hTQS1yZ2Y5LWo3Z3YtcnEyMs4AA2HZ

Microweber Cross-site Scripting vulnerability
Ecosystems: packagist
Packages: microweber/microweber
Source: github
Published: about 1 year ago

Critical

sing-box: GSA_kwCzR0hTQS1yNWhtLW1wM2otMjg1Z84AA2C4

sing-box vulnerable to improper authentication in the SOCKS inbound
Ecosystems: go
Packages: github.com/sagernet/sing, github.com/sagernet/sing-box
Source: github
Published: about 1 year ago

Moderate

AEADs: GSA_kwCzR0hTQS00MjN3LXAydzktcjd2cc4AA2An

AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
Ecosystems: cargo
Packages: aes-gcm
Source: github
Published: about 1 year ago

High

quinn: GSA_kwCzR0hTQS1xOHdjLWo1bTktMjd3M84AA1_5

Denial of Service issue in quinn-proto
Ecosystems: cargo
Packages: quinn-proto
Source: github
Published: about 1 year ago

High

librenms: GSA_kwCzR0hTQS0ycThjLWdxZjQtbWczds4AA17s

Cross site scripting in librenms
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: over 1 year ago

High

memos: GSA_kwCzR0hTQS0yZzdyLTl4cTUtYzZods4AA167

Cross-Site Request Forgery (CSRF) in usememos/memos
Ecosystems: go
Packages: github.com/usememos/memos
Source: github
Published: over 1 year ago

Moderate

librenms: GSA_kwCzR0hTQS01N20yLW1wYzctZ3dneM4AA14x

LibreNMS Code Injection vulnerability
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: over 1 year ago

Moderate

librenms: GSA_kwCzR0hTQS1xeHJxLTM3NnEtcDM5aM4AA14y

LibreNMS Cross-site Scripting vulnerability
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: over 1 year ago

Moderate

librenms: GSA_kwCzR0hTQS1xanB3LXJnNTYtamg4ds4AA143

LibreNMS Cross-site Scripting vulnerability
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: over 1 year ago

Moderate

librenms: GSA_kwCzR0hTQS1qcDNjLWc0NnYtamcyY84AA14w

LibreNMS Cross-site Scripting vulnerability
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: over 1 year ago

Moderate

librenms: GSA_kwCzR0hTQS01amptLXFwNDgtcXA4Ns4AA144

LibreNMS Cross-site Scripting vulnerability
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: over 1 year ago

Moderate

librenms: GSA_kwCzR0hTQS1tNmpqLWZnbWgtM3A4cs4AA145

LibreNMS Cross-site Scripting vulnerability
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: over 1 year ago

High

strapi: GSA_kwCzR0hTQS0yNHEyLTU5aG0tcmg5cs4AA12t

Strapi Improper Rate Limiting vulnerability
Ecosystems: npm
Packages: @strapi/plugin-users-permissions, @strapi/admin
Source: github
Published: over 1 year ago

Moderate

strapi: GSA_kwCzR0hTQS1tMjg0LTg1bWYtY2dyY84AA12s

Strapi's field level permissions not being respected in relationship title
Ecosystems: npm
Packages: @strapi/plugin-content-manager
Source: github
Published: over 1 year ago

Moderate

strapi: GSA_kwCzR0hTQS12OGdnLTRtcTItODhxNM4AA12r

Strapi may leak sensitive user information, user reset password, tokens via content-manager views
Ecosystems: npm
Packages: @strapi/utils, @strapi/admin, @strapi/plugin-content-manager
Source: github
Published: over 1 year ago

High

magento-lts: GSA_kwCzR0hTQS05MzU4LWNwdngtYzJxcM4AA1zS

Magento LTS's guest order "protect code" can be brute-forced too easily
Ecosystems: packagist
Packages: openmage/magento-lts
Source: github
Published: over 1 year ago

Moderate

fiber: GSA_kwCzR0hTQS0zcTVwLTM1NTgtMzY0Zs4AA1xI

Fiber unauthorized access vulnerability in `ctx.IsFromLocal()`
Ecosystems: go
Packages: github.com/gofiber/fiber/v2, github.com/gofiber/fiber
Source: github
Published: over 1 year ago

Moderate

electron: GSA_kwCzR0hTQS03eDk3LWozNzMtODV4Nc4AA1vg

Electron vulnerable to out-of-package code execution when launched with arbitrary cwd
Ecosystems: npm
Packages: electron
Source: github
Published: over 1 year ago

Moderate

electron: GSA_kwCzR0hTQS1wN3YyLXA5bTgtcXFnN84AA1vf

Electron context isolation bypass via nested unserializable return value
Ecosystems: npm
Packages: electron
Source: github
Published: over 1 year ago

High

electron: GSA_kwCzR0hTQS1neGg3LXd2OXEtZndmcs4AA1vc

Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled
Ecosystems: npm
Packages: electron
Source: github
Published: over 1 year ago

High

parse-server: GSA_kwCzR0hTQS1mY3Y2LWZnNXItam05cc4AA1rK

Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
Ecosystems: npm
Packages: parse-server
Source: github
Published: over 1 year ago

High

memos: GSA_kwCzR0hTQS01ajZwLTU5Y2otajZjcM4AA1nE

usememos/memos vulnerable to privilege escalation
Ecosystems: go
Packages: github.com/usememos/memos
Source: github
Published: over 1 year ago

High

memos: GSA_kwCzR0hTQS05NmdxLTZjaDUtbW01NM4AA1nF

usememos/memos vulnerable to improper input validation
Ecosystems: go
Packages: github.com/usememos/memos
Source: github
Published: over 1 year ago

Critical

memos: GSA_kwCzR0hTQS1qMmdqLWczcDktN21ycs4AA1nC

Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos
Ecosystems: go
Packages: github.com/usememos/memos
Source: github
Published: over 1 year ago

Moderate

borg: GSA_kwCzR0hTQS04ZmpyLWhnaHItNG05Oc4AA1lJ

Archive spoofing vulnerability in borgbackup
Ecosystems: pypi
Packages: borgbackup
Source: github
Published: over 1 year ago

Moderate

wallabag: GSA_kwCzR0hTQS1wOGdwLTg5OWMtanZxOc4AA1aY

Wallabag user can reset data unintentionally
Ecosystems: packagist
Packages: wallabag/wallabag
Source: github
Published: over 1 year ago

Moderate

wallabag: GSA_kwCzR0hTQS1nanZjLTU1ZnctdjZ2cc4AA1aX

Wallabag user can delete own API client unintentionally
Ecosystems: packagist
Packages: wallabag/wallabag
Source: github
Published: over 1 year ago

Moderate

wallabag: GSA_kwCzR0hTQS1ndnZ4LWZjNnAtMmg5eM4AA1Z-

Duplicate Advisory: Wallabag user can delete own API client unintentionally
Ecosystems: packagist
Packages: wallabag/wallabag
Source: github
Published: over 1 year ago

Moderate

wallabag: GSA_kwCzR0hTQS1yd3BnLTRjNGMtdjNyNM4AA1Z8

Duplicate Advisory: Wallabag user can reset data unintentionally
Ecosystems: packagist
Packages: wallabag/wallabag
Source: github
Published: over 1 year ago

High

framework: GSA_kwCzR0hTQS02N2M2LXE0ajQtaGNjZ84AA1WM

Flarum vulnerable to LFI and Blind SSRF via Avatar upload
Ecosystems: packagist
Packages: flarum/framework, flarum/core
Source: github
Published: over 1 year ago

High

woodpecker: GSA_kwCzR0hTQS00Z2NmLTVtMzktOThtY84AA1WL

Woodpecker does not validate webhook before changing any data
Ecosystems: go
Packages: github.com/woodpecker-ci/woodpecker
Source: github
Published: over 1 year ago

Moderate

excalidraw: GSA_kwCzR0hTQS12N3Y4LWdqdjctZmZtcs4AA1WK

@excalidraw/excalidraw Cross-site Scripting vulnerability
Ecosystems: npm
Packages: @excalidraw/excalidraw
Source: github
Published: over 1 year ago

Moderate

excalidraw: GSA_kwCzR0hTQS1mcjlnLTJtMmgtYzI3as4AA1VN

Duplicate Advisory: @excalidraw/excalidraw Cross-site Scripting vulnerability
Ecosystems: npm
Packages: @excalidraw/excalidraw
Source: github
Published: over 1 year ago

Moderate

Ghost: GSA_kwCzR0hTQS05Yzl2LXcyMjUtdjVyZ84AA1Uk

Ghost vulnerable to arbitrary file read via symlinks in content import
Ecosystems: npm
Packages: ghost
Source: github
Published: over 1 year ago

High

librenms: GSA_kwCzR0hTQS1tNnBmLWNtM2YtNzg3Ns4AA1Tn

LibreNMS Cross-site Scripting vulnerability
Ecosystems: packagist
Packages: librenms/librenms
Source: github
Published: over 1 year ago

Moderate

commonmarker: GSA_kwCzR0hTQS03dmg3LWZ3ODgtd2o4N84AA1Il

Several quadratic complexity bugs may lead to denial of service in Commonmarker
Ecosystems: rubygems
Packages: commonmarker
Source: github
Published: over 1 year ago

Moderate

gitea: GSA_kwCzR0hTQS04ajN2LTY4dzMtMzg0OM4AA1Fj

Gitea erroneous repo clones
Ecosystems: go
Packages: code.gitea.io/gitea
Source: github
Published: over 1 year ago

Critical

soketi: GSA_kwCzR0hTQS1nNnc2LWg5MzMtNHJjNc4AA1Cn

Soketi was exposed to Sandbox Escape vulnerability via vm2
Ecosystems: npm
Packages: @soketi/soketi
Source: github
Published: over 1 year ago

High

pnpm: GSA_kwCzR0hTQS01cjk4LWYzM2otZzhoN84AA0-_

pnpm incorrectly parses tar archives relative to specification
Ecosystems: npm
Packages: @pnpm/win-x64, @pnpm/macos-x64, @pnpm/macos-arm64, @pnpm/linuxstatic-arm64, @pnpm/linux-x64, @pnpm/linux-arm64, @pnpm/exe, pnpm, @pnpm/cafs
Source: github
Published: over 1 year ago

Critical