wedosoftware / lightningapp Goto Github PK

Drupal core 7.x versions before 7.57 when using Drupal's private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability. This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/102060

Cross-site scripting (XSS) vulnerability in pubnames.ntf (aka the Directory template) in the web server in IBM Domino before 9.0.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka SPR KLYH8WBPRN.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/10872

htcgibin.exe in Lotus Domino server 5.0.9a and earlier allows remote attackers to determine the physical pathname for the server via requests that contain certain MS-DOS device names such as com5, such as (1) a request with a .pl or .java extension, or (2) a request containing a large number of periods, which causes htcgibin.exe to leak the pathname in an error message.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/83592

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/187407

Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka image2) plugin for CKEditor (in versions 4.5.10 through 4.9.1; fixed in 4.9.2), as used in Drupal 8 before 8.4.7 and 8.5.x before 8.5.2 and other products, allows remote attackers to inject arbitrary web script through a crafted IMG element.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/105625

The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views module in Drupal 8.x before 8.1.3 might allow remote authenticated users to bypass intended access restrictions and obtain sensitive Statistics information via unspecified vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/7089

The User module in Drupal 7.x before 7.44 allows remote authenticated users to gain privileges via vectors involving contributed or custom code that triggers a rebuild of the user profile form.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/7088

Unspecified vulnerability in Cisco IOS 12.0 through 12.4 allows context-dependent attackers to cause a denial of service (device restart and BGP routing table rebuild) via certain regular expressions in a "show ip bgp regexp" command. NOTE: unauthenticated remote attacks are possible in environments with anonymous telnet and Looking Glass access.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/60734

In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability in the entity access system that could allow unwanted access to view, create, update, or delete entities. This only affects entities that do not use or do not have UUIDs, and entities that have different access restrictions on different revisions of the same entity.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/117593

Drupal core 8 before versions 8.3.4 allows remote attackers to execute arbitrary code due to the PECL YAML parser not handling PHP objects safely during certain operations.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/111413

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/207188

htcgibin.exe in Lotus Domino server 5.0.9a and earlier, when configured with the NoBanner setting, allows remote attackers to determine the version number of the server via a request that generates an HTTP 500 error code, which leaks the version in a hard-coded error message.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/83593

This affects the package madge before 4.0.1. It is possible to specify a custom Graphviz path via the graphVizPath option parameter which when the .image(), .svg() or .dot() functions are called, is executed by the childprocess.exec function.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/211596

HCL Domino is susceptible to a Denial of Service vulnerability caused by improper validation of user-supplied input. A remote unauthenticated attacker could exploit this vulnerability using a specially-crafted email message to hang the server. Versions previous to releases 9.0.1 FP10 IF6, 10.0.1 FP5 and 11.0.1 are affected.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/187743

Drupal 8.x before 8.1.10 does not properly check for "Administer comments" permission, which allows remote authenticated users to set the visibility of comments for arbitrary nodes by leveraging rights to edit those nodes.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/8009

In Materialize through 1.0.0, XSS is possible via the Tooltip feature.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/120749

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/211439

The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/4503

In jQuery before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

This problem is patched in jQuery 3.5.0.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/157211

In Drupal 8 prior to 8.3.4; The file REST resource does not properly validate some fields when manipulating files. A site is only affected by this if the site has the RESTful Web Services (rest) module enabled, the file REST resource is enabled and allows PATCH requests, and an attacker can get or register a user account on the site with permissions to upload files and to modify the file resource.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/117599

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/208187

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-11358. Reason: This candidate is a duplicate of CVE-2019-11358. Notes: All CVE users should reference CVE-2019-11358 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/121363

In jQuery before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/157227

sauce-connect is a Node.js wrapper over the SauceLabs SauceConnect.jar program for establishing a secure tunnel for intranet testing. sauce-connect downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/107248

In Materialize through 1.0.0, XSS is possible via the Autocomplete feature.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/120750

PHP remote file inclusion vulnerability in index.php in Nayco JASmine (aka Jasmine-Web) allows remote attackers to execute arbitrary PHP code via an FTP URL in the section parameter.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/68100

In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. All versions after commit f3dc89b9f6ab1544a289b3efc06699b13d63e0bd(3/10/20) are patched.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/183903