Roundcube Webmail versions before 1.5.13 and 1.6.x before 1.6.13 fail to block SVG feImage elements when the "Block remote images" security feature is enabled, allowing attackers to bypass the protection and load remote content. This remote image bypass could enable tracking, information disclosure, or facilitate phishing attacks against users who rely on this feature to prevent remote content loading. No patch is currently available for this medium-severity vulnerability.
Corrupted Git pack and index files are not properly validated in go-git versions before 5.16.5, allowing an attacker to supply malicious packfiles that bypass integrity checks and cause go-git to consume corrupted data. This can result in unexpected application errors and denial of service conditions for any system using the vulnerable go-git library to fetch or process Git repositories. The vulnerability requires user interaction to fetch from a malicious or compromised Git source.
A vulnerability was detected in rachelos WeRSS we-mp-rss up to 1.4.8. This issue affects some unknown processing of the file core/auth.py of the component JWT Handler. Performing a manipulation of the argument SECRET_KEY results in use of default cryptographic key. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is assessed as difficult...
Path traversal in rachelos WeRSS plugin versions up to 1.4.8 allows authenticated remote attackers to access arbitrary files through manipulation of the filename parameter in the download_export_file function. Public exploit code exists for this vulnerability. The issue requires valid credentials but has a low complexity attack surface, affecting file confidentiality without requiring user interaction.
A vulnerability was identified in CCExtractor versions up to 183. is affected by buffer overflow (CVSS 3.3).
A security vulnerability has been detected in AprilRobotics apriltag versions up to 3.4.5. is affected by buffer overflow (CVSS 3.3).
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product lacks HSTS (HTTP Strict Transport Security) configuration.
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. Physical paths could be displayed on web pages.
Improper permission enforcement in Checkmk versions 2.4.0 versions up to 2.4.0 is affected by missing authorization.
Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'Facebook' parameter in '/loggrodemo/jbrain/ConsultaTerceros' endpoint.
Stored Cross-Site Scripting (XSS) vulnerability in Loggro Pymes, via the 'descripción' parameter in the '/loggrodemo/jbrain/MaestraCuentasBancarias' endpoint.
DPA countermeasures in Silicon Labs' Series 2 devices are not reseeded under certain conditions. This may allow an attacker to eventually extract secret keys through a DPA attack.
captive browser, a dedicated Chrome instance to log into captive portals without messing with DNS settings.