当前节点:cve-famous
时间节点
2021-04-08 03:58:58知名组件CVE监控
2021-04-07 08:00:56知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Redmine
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API.

2021-04-07 08:00:55知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Redmine
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values.

2021-04-07 07:59:06知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Redmine
Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discover the subject of a non-visible issue by performing a CSV export and reading time entries.

2021-04-07 07:59:05知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Redmine
Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile inline links.

2021-04-07 07:59:03知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Redmine
Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url field.

2021-04-07 07:58:59知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Redmine
Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data during Textile formatting.

2021-04-06 11:58:56知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:用友
2021-04-03 18:09:14知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also supports specifying a URI from which to retrieve a JWT token from via the "request_uri" parameter. CXF was not validating the "request_uri" parameter (apart from ensuring it uses "https) and was making a REST request to the parameter in the request to retrieve a token. This means that CXF was vulnerable to DDos attacks on the authorization server, as specified in section 10.4.1 of the spec. This issue affects Apache CXF versions prior to 3.4.3; Apache CXF versions prior to 3.3.10.

2021-04-03 18:09:06知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.

2021-04-03 18:09:01知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.

2021-04-03 18:08:53知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.

2021-04-03 18:08:49知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user.

2021-04-03 18:08:43知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.

2021-04-03 18:08:40知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other

2021-04-03 18:08:33知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.

2021-04-02 22:04:23知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
Client side code execution in gitlab-vscode-extension v3.15.0 and earlier allows attacker to execute code on user system

2021-04-02 22:04:19知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.

2021-04-02 22:04:02知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Django
django-registration is a user registration package for Django. The django-registration package provides tools for implementing user-account registration flows in the Django web framework. In django-registration prior to 3.1.2, the base user-account registration view did not properly apply filters to sensitive data, with the result that sensitive data could be included in error reports rather than removed automatically by Django. Triggering this requires: A site is using django-registration < 3.1.2, The site has detailed error reports (such as Django's emailed error reports to site staff/developers) enabled and a server-side error (HTTP 5xx) occurs during an attempt by a user to register an account. Under these conditions, recipients of the detailed error report will see all submitted data from the account-registration attempt, which may include the user's proposed credentials (such as a password).

2021-04-02 02:02:54知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Docker
BTCPay Server before 1.0.7.1 mishandles the policy setting in which users can register (in Server Settings > Policies). This affects Docker use cases in which a mail server is configured.

2021-04-02 02:02:52知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Synology DiskStation
Improper neutralization of special elements used in an OS command in SYNO.Core.Network.PPPoE in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via realname parameter.

2021-04-02 02:02:40知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jira
The SetFeatureEnabled.jspa resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to enable and disable Jira Software configuration via a cross-site request forgery (CSRF) vulnerability.

2021-04-02 02:02:14知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:F5
When using BIG-IP APM 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, or all 12.1.x and 11.6.x versions or Edge Client versions 7.2.1.x before 7.2.1.1, 7.1.9.x before 7.1.9.8, or 7.1.8.x before 7.1.8.5, the session ID is visible in the arguments of the f5vpn.exe command when VPN is launched from the browser on a Windows system. Addressing this issue requires both the client and server fixes. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

2021-04-02 02:02:06知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Elasticsearch
On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch for transport is unencrypted. Note: Software versions which have reached End of Software Development (EoSD) are not evaluated.

2021-04-02 02:01:27知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jira
The membersOf of JQL search function in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a group exists & members of groups if they are assigned to publicly visible issue field.

2021-04-02 02:01:25知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jira
The /rest/api/1.0/render resource in Jira Server and Data Center before version 8.5.13, from version 8.6.0 before version 8.13.5, and from version 8.14.0 before version 8.15.1 allows remote anonymous attackers to determine if a username is valid or not via a missing permissions check.

2021-04-01 06:05:24知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later.

2021-04-01 06:05:01知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
A cross-site request forgery (CSRF) vulnerability in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

2021-04-01 06:04:59知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

2021-04-01 06:04:57知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
A missing permission check in Jenkins Team Foundation Server Plugin 5.157.1 and earlier allows attackers with Overall/Read permission to enumerate credentials ID of credentials stored in Jenkins.

2021-04-01 06:04:55知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins REST List Parameter Plugin 1.3.0 and earlier does not escape a parameter name reference in embedded JavaScript, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

2021-04-01 06:04:54知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Jabber (XMPP) notifier and control Plugin 1.41 and earlier stores passwords unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

2021-04-01 06:04:51知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
A cross-site request forgery (CSRF) vulnerability in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

2021-04-01 06:04:49知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
A missing permission check in Jenkins OWASP Dependency-Track Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL, capturing credentials stored in Jenkins.

2021-04-01 06:04:47知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Cloud Statistics Plugin 0.26 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission and knowledge of random activity IDs to view related provisioning exception error messages.

2021-04-01 06:04:45知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

2021-04-01 06:04:43知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
A cross-site request forgery (CSRF) vulnerability in Jenkins Build With Parameters Plugin 1.5 and earlier allows attackers to build a project with attacker-specified parameters.

2021-04-01 06:04:41知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Jenkins
Jenkins Build With Parameters Plugin 1.5 and earlier does not escape parameter names and descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

2021-03-31 10:02:31知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2

2021-03-29 18:01:13知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Redmine
Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip.

2021-03-28 02:02:43知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
In all versions of GitLab starting from 13.7, marshalled session keys were being stored in Redis.

2021-03-28 02:02:42知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.

2021-03-28 02:02:39知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.

2021-03-28 02:02:38知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page

2021-03-28 02:02:37知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the flag settings, authorization wasn't restricted. Additionally, any authenticated users had whichever groups were set in `--gitlab-group` added to the new `X-Forwarded-Groups` header to the upstream application. While adding GitLab project based authorization support in #630, a bug was introduced where the user session's groups field was populated with the `--gitlab-group` config entries instead of pulling the individual user's group membership from the GitLab Userinfo endpoint. When the session groups where compared against the allowed groups for authorization, they matched improperly (since both lists were populated with the same data) so authorization was allowed. This impacts GitLab Provider users who relies on group membership for author
2021-03-28 02:02:35知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Kong
In github.com/kongchuanhujiao/server before version 1.3.21 there is an authentication Bypass by Primary Weakness vulnerability. All users are impacted. This is fixed in version 1.3.21.

2021-03-27 06:02:03知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:OpenAm
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.

2021-03-27 06:01:16知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:Apache
In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

2021-03-26 10:02:59知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project.

2021-03-26 10:02:57知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.

2021-03-26 10:02:57知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners

2021-03-26 10:02:56知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki

2021-03-26 10:02:54知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.

2021-03-26 10:02:52知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration.

2021-03-26 10:02:51知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests

2021-03-26 10:02:50知名组件CVE监控
有新的漏洞组件被发现啦,组件ID:GitLab
An issue was identified in GitLab EE 13.4 or later which leaked internal IP address via error messages.