wedosoftware / status-check Goto Github PK

index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/100552

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/187411

SQL injection vulnerability in Slashdot Like Automated Storytelling Homepage (Slash) (aka Slashcode) R_2_5_0_94 and earlier allows remote attackers to execute SQL commands and read table information via the id parameter.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/51355

Cross-site scripting (XSS) vulnerability in Slashdot Like Automated Storytelling Homepage (Slash) (aka Slashcode) R_2_5_0_94 and earlier allows remote attackers to inject arbitrary web script or HTML via the userfield parameter.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/51658

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/208178

set-value is vulnerable to Prototype Pollution in versions lower than 3.0.1. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using any of the constructor, prototype and proto payloads.

Read more at Debricked: http://app.debricked.com/en/service/vulnerability/128474

MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/176801

MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/176800

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/118908

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/208194

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/125359

Adobe Connect versions 9.6.1 and earlier have a clickjacking vulnerability. Successful exploitation could lead to a clickjacking attack.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/91925

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/117993

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/210288

The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/122064

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/187408

In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.13;Drupal 8.5 versions prior to 8.5.14. Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/120102

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/104188

SQL injection vulnerability in Basic Analysis and Security Engine (BASE) before 1.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/48669

This affects the package npm-user-validate before 1.0.1.
The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.


Read more at Debricked: https://app.debricked.com/en/service/vulnerability/185071

Prototype pollution vulnerability in 'cache-base' versions 0.7.0 through 4.0.0 allows attacker to cause a denial of service and may lead to remote code execution.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/204989

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/176856

Adobe Connect versions 9.6.1 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to a stored cross-site scripting attack.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/91927

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/128473

All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/210290

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/110588

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/208188

Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/178500

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/208230

Cross-site scripting (XSS) vulnerability in the web app in Adobe Connect before 9.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/9501

Adobe Connect versions 9.6.1 and earlier have a reflected cross-site scripting vulnerability. Successful exploitation could lead to a reflected cross-site scripting attack.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/91926

In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. All versions after commit f3dc89b9f6ab1544a289b3efc06699b13d63e0bd(3/10/20) are patched.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/183903

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/208196

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/187412

Cross-site scripting (XSS) vulnerability in admin/home/homepage/search in the web app in Adobe Connect before 9.4 allows remote attackers to inject arbitrary web script or HTML via the query parameter.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/9500

Kaseya Traverse before 9.5.20 allows OS command injection attacks against user accounts, associated with a Netflow Top Applications reporting API call. This is exploitable by an authenticated attacker who submits a modified JSON field within POST data.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/146009

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/208192

MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/176802

An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A UI Redress (or Clickjacking) vulnerability exists. This issue has been resolved by adding a feature that enables Connect administrators to protect users from UI redressing (or clickjacking) attacks.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/98104

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/139915

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/122453

mixin-deep is vulnerable to Prototype Pollution in versions before 1.3.2 and version 2.0.0. The function mixin-deep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/128473

All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) [DNP] via trim().

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/185064

An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A reflected cross-site scripting vulnerability exists that can result in information disclosure.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/98103

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/187532

An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A reflected cross-site scripting vulnerability exists that can result in information disclosure.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/98101

An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A Server-Side Request Forgery (SSRF) vulnerability exists that could be abused to bypass network access controls.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/98105

All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/217918

Adobe Connect versions 9.6.1 and earlier have a stored cross-site scripting vulnerability. Successful exploitation could lead to a stored cross-site scripting attack.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/91927

In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; A remote code execution vulnerability exists in PHP's built-in phar stream wrapper when performing file operations on an untrusted phar:// URI. Some Drupal code (core, contrib, and custom) may be performing file operations on insufficiently validated user input, thereby being exposed to this vulnerability. This vulnerability is mitigated by the fact that such code paths typically require access to an administrative permission or an atypical configuration.

Read more at Debricked: https://app.debricked.com/en/service/vulnerability/118000