wedosoftware / fileconvert Goto Github PK

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/207703

Adobe Connect versions 9.6.1 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to a stored cross-site scripting attack.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/91927

An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A reflected cross-site scripting vulnerability exists that can result in information disclosure.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/98102

Adobe Connect versions 9.7 and earlier have an exploitable OS Command Injection. Successful exploitation could lead to arbitrary file deletion.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/106692

Adobe Connect versions 9.7.5 and earlier have an Insecure Library Loading vulnerability. Successful exploitation could lead to privilege escalation.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/110694

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/207747

The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via shortcutMatch in fromUrl().

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/212316

Cross-site scripting (XSS) vulnerability in base_local_rules.php in Basic Analysis and Security Engine (BASE) before 1.4.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/48668

Cross-site scripting (XSS) vulnerability in admin/home/homepage/search in the web app in Adobe Connect before 9.4 allows remote attackers to inject arbitrary web script or HTML via the query parameter.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/9500

Adobe Connect version 11.0.7 (and earlier) is affected by an Input Validation vulnerability in the export feature. An attacker could exploit this vulnerability by injecting a payload into the registration form and achieve arbitrary code execution in the context of the admin account.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/211867

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/207742

Adobe Connect versions 9.7 and earlier have an exploitable unrestricted SWF file upload vulnerability. Successful exploitation could lead to information disclosure.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/106691

Adobe Connect version 11.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious JavaScript content that may be executed within the context of the victim's browser when they browse to the page containing the vulnerable field.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/211864

Directory traversal vulnerability in KGB Archiver before 1.1.5.22 allows remote attackers to overwrite arbitrary files wile decompressing an archive, possibly due to directory traversal sequences in a filename.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/64497

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/140477

URI.js is a javascript URL mutation library (npm package urijs). In URI.js before version 1.19.4, the hostname can be spoofed by using a backslash (\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect. Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior. For example the URL https://expected-example.com\@observed-example.com will incorrectly return observed-example.com if using an affected version. Patched versions correctly return expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class. Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.]

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/205123

Unspecified vulnerability in base_local_rules.php in Basic Analysis and Security Engine (BASE) before 1.4.4 allows remote attackers to include arbitrary local files via unknown vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/48670

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/128473

Tools/gdomap.c in gdomap in GNUstep Base 1.24.6 and earlier, when run in daemon mode, does not properly handle the file descriptor for the logger, which allows remote attackers to cause a denial of service (abort) via an invalid request.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/18079

rc before 1.7.1-5 insecurely creates temporary files.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/138117

Untrusted search path vulnerability in the installer in Adobe Connect Add-In before 11.9.976.291 on Windows allows local users to gain privileges via unspecified vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/5575

An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A UI Redress (or Clickjacking) vulnerability exists. This issue has been resolved by adding a feature that enables Connect administrators to protect users from UI redressing (or clickjacking) attacks.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/98104

Adobe Connect version 11.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/186169

An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A Server-Side Request Forgery (SSRF) vulnerability exists that could be abused to bypass network access controls.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/98105

Cross-site request forgery (CSRF) vulnerability in Adobe Connect before 9.5.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/2622

This affects all versions of package com.squareup:connect.
The method prepareDownloadFilecreates creates a temporary file with the permissions bits of -rw-r--r-- on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded by downloadFileFromResponse will be visible to all other users on the local system.

A workaround fix for this issue is to set the system property java.io.tmpdir to a safe directory as remediation.

Note: This version of the SDK is end of life and no longer maintained, please upgrade to the latest version.


Read more at Debricked: https://app.debricked.com/en/service/vulnerability/209608

Prototype pollution vulnerability in 'cache-base' versions 0.7.0 through 4.0.0 allows attacker to cause a denial of service and may lead to remote code execution.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/204989

Adobe Connect versions 9.8.1 and earlier have a session token exposure vulnerability. Successful exploitation could lead to exposure of the privileges granted to a session.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/117946

Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/206561

Adobe Connect versions 9.6.1 and earlier have a reflected cross-site scripting vulnerability. Successful exploitation could lead to a reflected cross-site scripting attack.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/91926

Adobe Connect before 9.5.2 allows remote attackers to spoof the user interface via unspecified vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/2624

SQL injection vulnerability in Basic Analysis and Security Engine (BASE) before 1.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/48669

An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A reflected cross-site scripting vulnerability exists that can result in information disclosure.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/98101

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/128474

Adobe Connect versions 9.7.5 and earlier have an exploitable Authentication Bypass vulnerability. Successful exploitation could lead to sensitive information disclosure.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/106716

Adobe Connect before 9.5.2 allows remote attackers to have an unspecified impact via a crafted parameter in a URL.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/2623

Untrusted search path vulnerability in the installers of multiple SEIKO EPSON products allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/187822

A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/212619

A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/174036

Adobe Connect version 11.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this vulnerability to inject malicious JavaScript content that may be executed within the context of the victim's browser when they browse to the page containing the vulnerable field.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/211865

Adobe Connect versions 9.6.1 and earlier have a clickjacking vulnerability. Successful exploitation could lead to a clickjacking attack.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/91925

URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative path.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/210743

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions. If serialized data of regular expression objects are used in an environment other than Node.js, it is affected by this vulnerability.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/138877

Sencha Labs Connect has XSS with connect.methodOverride()

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/140135

An issue was discovered in the through crate through 2021-02-18 for Rust. There is a double free (in through and through_and) upon a panic of the map function.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/212772

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/156954

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/173421

An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A reflected cross-site scripting vulnerability exists that can result in information disclosure.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/98103

socket.io-parser before 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/206562

Cross-site scripting (XSS) vulnerability in the web app in Adobe Connect before 9.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/9501