cPanel before 74.0.0 allows arbitrary file-read operations during File Restoration (SEC-436).
cPanel before 71.9980.37 allows arbitrary file-unlink operations via the cPAddons moderation system (SEC-395).
cPanel before 57.9999.54 allows Webmail accounts to execute arbitrary code through forwarders (SEC-121).
cPanel before 57.9999.54 allows demo-mode escape via show_template.stor (SEC-119).
In cPanel before 57.9999.54, /scripts/enablefileprotect exposed TTYs (SEC-117).
cPanel before 55.9999.141 allows unauthenticated arbitrary code execution via DNS NS entry poisoning (SEC-90).
cPanel before 59.9999.145 allows arbitrary code execution due to an incorrect #! in Mail::SPF scripts (SEC-152).
cPanel before 60.0.25 allows file-overwrite operations during preparation for MySQL upgrades (SEC-161).
cPanel before 60.0.25 allows file-create and file-chmod operations during ModSecurity Audit logfile processing (SEC-165).
cPanel before 60.0.25 allows arbitrary file-overwrite operations during a Roundcube update (SEC-164).
cPanel before 11.54.0.4 allows arbitrary code execution via scripts/synccpaddonswithsqlhost (SEC-83).
cPanel before 55.9999.141 allows arbitrary code execution in the context of the root account because of MakeText interpolation (SEC-89).
cPanel before 60.0.25 allows arbitrary file-chown operations via reassign_post_terminate_cruft (SEC-173).
cPanel before 76.0.8 allows remote attackers to execute arbitrary code via mailing-list attachments (SEC-452).
cPanel before 60.0.25 allows arbitrary code execution via Maketext in PostgreSQL adminbin (SEC-188).
cPanel before 58.0.4 allows demo-mode escape via Site Templates and Boxtrapper API calls (SEC-138).
cPanel before 57.9999.54 allows demo accounts to execute arbitrary code via ajax_maketext_syntax_util.pl (SEC-109).
cPanel before 11.54.0.4 allows unauthenticated arbitrary code execution via cpsrvd (SEC-91).
In cPanel before 57.9999.54, /scripts/addpop and /scripts/delpop exposed TTYs (SEC-113).
cPanel before 60.0.25 allows code execution via the cpsrvd 403 error response handler (SEC-191).
The SQLite journal feature in cPanel before 57.9999.54 allows arbitrary file-overwrite operations during Horde Restore (SEC-58).
cPanel before 74.0.8 allows local users to disable the ClamAV daemon (SEC-409).
In cPanel before 71.9980.37, API tokens retain ACLs after those ACLs are removed from the corresponding accounts (SEC-393).
cPanel before 70.0.23 allows demo accounts to execute code via awstats (SEC-362).
cPanel before 74.0.0 allows file-rename operations during account renames (SEC-442).
cPanel before 76.0.8 allows a persistent Virtual FTP accounts after removal of its associated domain (SEC-454).
cPanel before 70.0.23 allows any user to disable Solr (SEC-371).
cPanel before 74.0.8 allows demo accounts to execute arbitrary code via the Fileman::viewfile API (SEC-444).
cPanel before 76.0.8 allows arbitrary code execution in the context of the root account via dnssec adminbin (SEC-465).
cPanel before 74.0.8 allows arbitrary file-write operations in the context of the root account during WHM Force Password Change (SEC-447).
cPanel before 62.0.17 allows arbitrary code execution during account modification (SEC-220).
cPanel before 64.0.21 allows demo accounts to execute code via the ClamScanner_getsocket API (SEC-251).
In cPanel before 67.9999.103, the backup interface could return a backup archive with all MySQL databases (SEC-283).
cPanel before 64.0.21 allows code execution via Rails configuration files (SEC-259).
Open Forms is an application for creating and publishing smart forms. Open Forms supports file uploads as one of the form field types. These fields can be configured to allow only certain file extensions to be uploaded by end users (e.g. only PDF / Excel / ...). The input validation of uploaded files is insufficient in versions prior to 1.0.9 and 1.1.1. Users could alter or strip file extensions to bypass this validation. This results in files being uploaded to the server that are of a different file type than indicated by the file name extension. These files may be downloaded (manually or automatically) by staff and/or other applications for further processing. Malicious files can therefore find their way into internal/trusted networks. Versions 1.0.9 and 1.1.1 contain patches for this issue. As a workaround, an API gateway or intrusion detection solution in front of open-forms may be able to scan for and block malicious content before it reaches the Open Forms application.
In the `@actions/core` npm module before version 1.2.6,`addPath` and `exportVariable` functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment variables being modified without the intention of the workflow or action author. The runner will release an update that disables the `set-env` and `add-path` workflow commands in the near future. For now, users should upgrade to `@actions/core v1.2.6` or later, and replace any instance of the `set-env` or `add-path` commands in their workflows with the new Environment File Syntax. Workflows and actions using the old commands or older versions of the toolkit will start to warn, then error out during workflow execution.
In Helm before versions 2.16.11 and 3.3.2 there is a bug in which the `alias` field on a `Chart.yaml` is not properly sanitized. This could lead to the injection of unwanted information into a chart. This issue has been patched in Helm 3.3.2 and 2.16.11. A possible workaround is to manually review the `dependencies` field of any untrusted chart, verifying that the `alias` field is either not used, or (if used) does not contain newlines or path characters.
In Helm before versions 2.16.11 and 3.3.2 plugin names are not sanitized properly. As a result, a malicious plugin author could use characters in a plugin name that would result in unexpected behavior, such as duplicating the name of another plugin or spoofing the output to `helm --help`. This issue has been patched in Helm 3.3.2. A possible workaround is to not install untrusted Helm plugins. Examine the `name` field in the `plugin.yaml` file for a plugin, looking for characters outside of the [a-zA-Z0-9._-] range.
URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (`\`) character followed by an at (`@`) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL `https://expected-example.com\@observed-example.com` will incorrectly return `observed-example.com` if using an affected version. Patched versions correctly return `expected-example.com`. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]
Strapi before 3.0.2 could allow a remote authenticated attacker to bypass security restrictions because templates are stored in a global variable without any sanitation. By sending a specially crafted request, an attacker could exploit this vulnerability to update the email template for both password reset and account confirmation emails.
In Shopizer before version 2.11.0, using API or Controller based versions negative quantity is not adequately validated hence creating incorrect shopping cart and order total. This vulnerability makes it possible to create a negative total in the shopping cart. This has been patched in version 2.11.0.
<p>A security feature bypass vulnerability exists in SQL Server Reporting Services (SSRS) when the server improperly validates attachments uploaded to reports. An attacker who successfully exploited this vulnerability could upload file types that were disallowed by an administrator.</p> <p>To exploit the vulnerability, an authenticated attacker would need to send a specially crafted request to an affected SSRS server.</p> <p>The update addresses the vulnerability by modifying how SSRS validates attachment uploads.</p>
The Management Web Interface in Palo Alto Networks PAN-OS before 7.0.14 and 7.1.x before 7.1.9 allows remote attackers to write to export files via unspecified parameters.
MantisBT 1.2.12 before 1.2.15 allows authenticated users to by the workflow restriction and close issues.
A vulnerability in configuration modification permissions validation for Cisco Unified Communications Manager could allow an authenticated, remote attacker to perform a horizontal privilege escalation where one user can modify another user's configuration. The vulnerability is due to lack of proper Role Based Access Control (RBAC) when certain user configuration changes are requested. An attacker could exploit this vulnerability by sending an authenticated, crafted HTTP request to the targeted application. An exploit could allow the attacker to impact the integrity of the application where one user can modify the configuration of another user's information. Cisco Bug IDs: CSCve27331. Known Affected Releases: 10.5(2.10000.5), 11.0(1.10000.10), 11.5(1.10000.6).
An access control issue in MantisBT before 1.2.13 allows users with "Reporter" permissions to change any issue to "New".
The user-management page in Cisco WebEx Social relies on client-side validation of values in the Screen Name, First Name, Middle Name, Last Name, Email Address, and Job Title fields, which allows remote authenticated users to bypass intended access restrictions via crafted requests, aka Bug ID CSCue67190.
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
Python discord bot is the community bot for the Python Discord community. In affected versions when a non-blacklisted URL and an otherwise triggering filter token is included in the same message the token filter does not trigger. This means that by including any non-blacklisted URL moderation filters can be bypassed. This issue has been resolved in commit 67390298852513d13e0213870e50fb3cff1424e0
A vulnerability in the web interface of Cisco Prime Collaboration Provisioning Software (prior to Release 11.1) could allow an authenticated, remote attacker to delete any file from an affected system. The vulnerability exists because the affected software does not perform proper input validation of HTTP requests and fails to apply role-based access controls (RBACs) to requested HTTP URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request that uses directory traversal techniques to submit a path to a desired file location on an affected system. A successful exploit could allow the attacker to delete any file from the system. Cisco Bug IDs: CSCvc99618.