| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. The issue has been resolved in version 1.0.5. |
| The gitlog function in src/index.ts in gitlog before 4.0.4 has a command injection vulnerability. |
| Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts with "/\\example.com". |
| Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name (IDN) which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option. |
| The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool. |
| The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool. |
| The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connection request after exhausting memory pool. |
| Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function. |
| Directory Traversal vulnerability in Foddy node-red-contrib-huemagic version 3.0.0, allows remote attackers to gain sensitive information via crafted request in res.sendFile API in hue-magic.js. |
| EPrints 3.4.2 allows remote attackers to execute OS commands via crafted LaTeX input to a cgi/cal?year= URI. |
| EPrints 3.4.2 exposes a reflected XSS opportunity in the via a cgi/cal URI. |
| Various Vembu products allow an attacker to execute a (non-blind) http-only Cross Site Request Forgery (Other products or versions of products in this family may be affected too.) |
| In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebservice_o.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server. |
| In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges. |
| In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http API located at /sgwebservice_o.php accepts a command argument. Using this command argument an unauthenticated attacker can execute arbitrary shell commands. |
| Apache Nuttx Versions prior to 10.1.0 are vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution. |
| Azure RTOS Information Disclosure Vulnerability |
| Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability |
| Windows HTTP.sys Elevation of Privilege Vulnerability |
| Storage Spaces Controller Elevation of Privilege Vulnerability |
