| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization. |
| A privilege escalation detected in flintcms versions <= 1.1.9 allows account takeover due to blind MongoDB injection in password reset. |
| A missing sanitization of search results for an autocomplete field in NextCloud Talk <3.2.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. |
| A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. |
| active-support ruby gem 5.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system. |
| Improper authorization in aedes version <0.35.0 will publish a LWT in a channel when a client is not authorized. |
| Insufficient URI encoding in restforce before 3.0.0 allows attacker to inject arbitrary parameters into Salesforce API requests. |
| Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log. |
| Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication. |
| Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol. |
| There is a stored Cross-Site Scripting vulnerability in Open Graph meta properties read by the `metascrape` npm module <= 3.9.2. |
| Concatenating unsanitized user input in the `whereis` npm module < 0.4.1 allowed an attacker to execute arbitrary commands. The `whereis` module is deprecated and it is recommended to use the `which` npm module instead. |
| An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser. |
| A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files. |
| ruby-grape ruby gem suffers from a cross-site scripting (XSS) vulnerability via "format" parameter. |
| `memjs` versions <= 1.1.0 allocates and stores buffers on typed input, resulting in DoS and uninitialized memory usage. |
| Path traversal in buttle module versions <= 0.2.0 allows to read any file in the server. |
| In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins. |
| In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins. |
| Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to. |
