Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

24,784

Total Advisories

1,792

With Dependabot PRs

3,506

Critical Severity

8,617

High Severity

Clear All Filters
Blind SSRF Leads to Port Scan by using Webhooks
GHSA-74p6-39f2-23v3 CVE-2024-29035 MODERATE over 1 year ago
### Impact Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical. ### Affec...
nuget
No PRs yet
MSAL.NET applications targeting Xamarin Android and .NET Android (MAUI) susceptible to local denial of service
GHSA-x674-v45j-fwxw CVE-2024-27086 LOW over 1 year ago
>[!IMPORTANT] >**ONLY** applications targeting Xamarin Android and .NET Android (MAUI) are impacted. All others can safely dismiss this CVE. ### I...
nuget
No PRs yet
SixLabors.ImageSharp vulnerable to data leakage
GHSA-5x7m-6737-26cr CVE-2024-32036 MODERATE over 1 year ago
### Impact A data leakage flaw was found in ImageSharp's JPEG and TGA decoders. This vulnerability is triggered when an attacker passes a specially...
nuget
No PRs yet
SixLabors.ImageSharp vulnerable to Memory Allocation with Excessive Size Value
GHSA-g85r-6x2q-45w7 CVE-2024-32035 MODERATE over 1 year ago
### Impact A vulnerability discovered in the ImageSharp library, where the processing of specially crafted files can lead to excessive memory usag...
nuget
No PRs yet
Sensitive query parameters logged by default in OpenTelemetry.Instrumentation http and AspNetCore
GHSA-vh2m-22xx-q94f CVE-2024-32028 MODERATE over 1 year ago
## Impact `OpenTelemetry.Instrumentation.Http` writes the `url.full` attribute/tag on spans (`Activity`) when tracing is enabled for outgoing http...
nuget
No PRs yet
Azure Identity Library for .NET Information Disclosure Vulnerability
GHSA-wvxc-855f-jvrv CVE-2024-29992 MODERATE over 1 year ago
Azure Identity Library for .NET Information Disclosure Vulnerability
nuget
No PRs yet
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes
GHSA-438c-3975-5x3f CVE-2024-29203 MODERATE over 1 year ago
### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s content insertion...
npm nuget packagist
No PRs yet
TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements
GHSA-5359-pvf2-pw78 CVE-2024-29881 MODERATE over 1 year ago
### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s content loading a...
npm nuget packagist
No PRs yet
WiX based installers are vulnerable to binary hijack when run as SYSTEM
GHSA-rf39-3f98-xr7r CVE-2024-29187 HIGH over 1 year ago
### Summary Burn uses an unprotected C:\Windows\Temp directory to copy binaries and run them from there. This directory is not entirely protected a...
nuget
No PRs yet
Malicious directory junction can cause WiX RemoveFoldersEx to possibly delete elevated files
GHSA-jx4p-m4wm-vvjg CVE-2024-29188 HIGH over 1 year ago
### Summary The custom action behind WiX's `RemoveFolderEx` functionality could allow a standard user to delete protected directories. ### Details...
nuget
No PRs yet
WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM
GHSA-g4v6-69p6-q3p4 HIGH over 1 year ago
# Summary Burn uses an unprotected C:\Windows\Temp directory to copy binaries and run them from there. This directory is not entirely protected ag...
nuget
No PRs yet
WiX Burn-based bundles are vulnerable to binary hijack when run as SYSTEM
GHSA-wq88-fq4x-h2pm HIGH over 1 year ago
# Summary Burn uses an unprotected C:\Windows\Temp directory to copy binaries and run them from there. This directory is not entirely protected ag...
nuget
No PRs yet
Umbraco possible user enumeration
GHSA-552f-97wf-pmpq CVE-2024-28868 LOW over 1 year ago
### Impact A user enumeration attack is possible. ### Affected versions Umbraco 10 with access to the native login screen ### Patches This is fix...
nuget
1
Dependabot PRs
100%
Merged
CoreWCF NetFraming based services can leave connections open when they should be closed
GHSA-32jq-mv89-5rx7 CVE-2024-28252 HIGH over 1 year ago
### Impact If you have a NetFraming based CoreWCF service, extra system resources could be consumed by connections being left established instead o...
nuget
No PRs yet
Remote Denial of Service Vulnerability in Microsoft QUIC
GHSA-2x7m-gf85-3745 HIGH over 1 year ago
### Impact The MsQuic server will continue to leak memory until no more is available, resulting in a denial of service. ### Patches The following ...
nuget
No PRs yet
Microsoft Security Advisory CVE-2024-21392: .NET Denial of Service Vulnerability
GHSA-5fxj-whcv-crrc CVE-2024-21392 HIGH over 1 year ago
# Microsoft Security Advisory CVE-2024-21392: .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft...
nuget
No PRs yet
Use After Free in SixLabors.ImageSharp
GHSA-65x7-c272-7g7r CVE-2024-27929 HIGH over 1 year ago
### Impact A heap-use-after-free flaw was found in ImageSharp's InitializeImage() function of PngDecoderCore.cs file. This vulnerability is trigger...
nuget
No PRs yet
FullStackHero's WebAPI Boilerplate host header injection vulnerability
GHSA-75x2-6h4m-h6mx CVE-2024-26470 MODERATE over 1 year ago
A host header injection vulnerability in the forgot password function of FullStackHero's WebAPI Boilerplate v1.0.0 and v1.0.1 allows attackers to l...
nuget
No PRs yet
Cross-site Scripting in Serenity
GHSA-5jjq-8cvj-v6m9 CVE-2024-26318 MODERATE almost 2 years ago
Serenity before 6.8.0 allows XSS via an email link because LoginPage.tsx permits return URLs that do not begin with a / character.
npm nuget
No PRs yet
NuGet Client Security Feature Bypass Vulnerability
GHSA-68w7-72jg-6qpp CVE-2024-0057 CRITICAL almost 2 years ago
### Description Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 7.0 and .NET 8.0. This...
nuget
No PRs yet
Microsoft Security Advisory CVE-2024-21386: .NET Denial of Service Vulnerability
GHSA-g74q-5xw3-j7q9 CVE-2024-21386 CRITICAL almost 2 years ago
# Microsoft Security Advisory CVE-2024-21386: .NET Denial of Service Vulnerability ## Executive summary Microsoft is releasing this security advi...
nuget
No PRs yet
PanelSwWix4.Sdk .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges
GHSA-8v28-3g86-chj5 HIGH almost 2 years ago
# Summary .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. # Details If the bundle is no...
nuget
No PRs yet
Panel::Software Customized WiX .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges
GHSA-259p-rvjx-ffwg HIGH almost 2 years ago
# Summary .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. # Details If the bundle is no...
nuget
No PRs yet
WiX Toolset's .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges
GHSA-7wh2-wxc7-9ph5 CVE-2024-24810 HIGH almost 2 years ago
### Summary .be TEMP folder is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges. ### Details If the bundle is ...
nuget
No PRs yet
.NET Information Disclosure Vulnerability
GHSA-vh55-786g-wjwj CVE-2022-34716 MODERATE almost 2 years ago
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provid...
nuget
No PRs yet
PowerShell is subject to remote code execution vulnerability
GHSA-jcmq-5rrv-j2g4 HIGH almost 2 years ago
# Microsoft Security Advisory CVE-2020-0605: .NET Framework Remote Code Execution Vulnerability ## Executive Summary A remote code execution vuln...
nuget
No PRs yet
TrueLayer.Client SSRF when fetching payment or payment provider
GHSA-67m4-qxp3-j6hh CVE-2024-23838 HIGH almost 2 years ago
### Impact The vulnerability could potentially allow a malicious actor to gain control over the destination URL of the HttpClient used in the API c...
nuget
No PRs yet
Microsoft ASP.NET Core project templates vulnerable to denial of service
GHSA-59j7-ghrg-fj52 CVE-2024-21319 MODERATE almost 2 years ago
A Denial of Service vulnerability exists in ASP.NET Core project templates which utilize JWT-based authentication tokens. This vulnerability allows...
nuget
16
Dependabot PRs
Microsoft.Data.SqlClient and System.Data.SqlClient vulnerable to SQL Data Provider Security Feature Bypass
GHSA-98g6-xh36-x2p7 CVE-2024-0056 HIGH almost 2 years ago
Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability
nuget
19
Dependabot PRs
22%
Merged
Microsoft.IdentityModel.Protocols.SignedHttpRequest remote code execution vulnerability
GHSA-rv9j-c866-gp5h CVE-2024-21643 HIGH almost 2 years ago
### Impact _What kind of vulnerability is it? Who is impacted?_ Anyone leveraging the `SignedHttpRequest`protocol or the `SignedHttpRequestValidato...
nuget
No PRs yet
OWASP.AntiSamy mXSS when preserving comments
GHSA-8x6f-956f-q43w CVE-2023-51652 MODERATE almost 2 years ago
# Impact There is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subj...
nuget
No PRs yet
Snowflake Connector .NET does not properly check the Certificate Revocation List (CRL)
GHSA-hwcc-4cv8-cf3h CVE-2023-51662 MODERATE almost 2 years ago
### Issue Snowflake recently received a report about a vulnerability in the Snowflake Connector .NET where the checks against the Certificate Revoc...
nuget
No PRs yet
Stored XSS via SVG File Upload
GHSA-6xmx-85x3-4cv2 CVE-2023-49279 LOW almost 2 years ago
#### Impact A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media di...
nuget
No PRs yet
Brute force exploit can be used to collect valid usernames
GHSA-7x74-h8cw-qhxq CVE-2023-49278 LOW almost 2 years ago
#### Impact A brute force exploit that can be used to collect valid usernames is possible. #### Explanation of the vulnerability It's a brute for...
nuget
No PRs yet
SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.
GHSA-8qp8-9rpw-j46c CVE-2023-49274 LOW almost 2 years ago
#### Impact A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled #### Explanation of the vulnerab...
nuget
3
Dependabot PRs
Privilege Escalation using Spoofing
GHSA-cfr5-7p54-4qg8 CVE-2023-49273 MODERATE almost 2 years ago
#### Impact Users with low privileges ( Editor, etc) are able to access some unintended endpoints. #### Explanation of the vulnerability Possible...
nuget
3
Dependabot PRs
Using the directory back payload (“/../”) in a package name allows placement of package in other folders.
GHSA-6324-52pr-h4p5 CVE-2023-49089 LOW almost 2 years ago
#### Impact Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. #### E...
nuget
3
Dependabot PRs
DOM-XSS on Backoffice login screen.
GHSA-v98m-398x-269r CVE-2023-48313 MODERATE almost 2 years ago
#### Impact Cross-site scripting (XSS) enable attackers to bring malicious content into a website or application. #### Explanation of the vulnerab...
nuget
3
Dependabot PRs
Backoffice User can bypass "Publish" restriction
GHSA-335x-5wcm-8jv2 CVE-2023-48227 LOW almost 2 years ago
#### Impact Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. #### Explanation ...
nuget
No PRs yet
Possible injection of HTML into user invite mails
GHSA-xxc6-35r7-796w CVE-2023-38694 LOW almost 2 years ago
#### Impact A user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. #### Explana...
nuget
No PRs yet
Stale copy of the public suffix list
GHSA-w4x6-hh3x-wjrx LOW almost 2 years ago
We have identified that this project contains an out-of-date version of the Public Suffix List (https://publicsuffix.org/). We are carrying out res...
nuget
No PRs yet
pubnub Insufficient Entropy vulnerability
GHSA-5844-q3fc-56rh CVE-2023-26154 MODERATE almost 2 years ago
Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versi...
cargo go maven +6 more
No PRs yet
Ajax Pro Cross-site Scripting
GHSA-8v6j-gc74-fmpp CVE-2023-49289 MODERATE almost 2 years ago
### Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of ar...
nuget
No PRs yet
Exposure of Sensitive Information in Elastic APM .NET Agent
GHSA-hx93-gc73-5rpr CVE-2021-22143 LOW about 2 years ago
The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent...
nuget
No PRs yet
TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes
GHSA-v626-r774-j7f8 CVE-2023-48219 MODERATE about 2 years ago
### Impact A [mutation cross-site scripting](https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by...
npm nuget packagist
No PRs yet
Microsoft Security Advisory CVE-2023-36049: .NET Elevation of Privilege Vulnerability
GHSA-c3hf-8vgx-72rh CVE-2023-36049 HIGH about 2 years ago
# Microsoft Security Advisory CVE-2023-36049: .NET Elevation of Privilege Vulnerability ## <a name="executive-summary"></a>Executive summary Micr...
nuget
No PRs yet
Microsoft Security Advisory CVE-2023-36558: .NET Security Feature Bypass Vulnerability
GHSA-3fx3-85r4-8j3w CVE-2023-36558 MODERATE about 2 years ago
# Microsoft Security Advisory CVE-2023-36558: .NET Security Feature Bypass Vulnerability ## <a name="executive-summary"></a>Executive summary Mic...
nuget
No PRs yet
TinyMCE XSS vulnerability in notificationManager.open API
GHSA-hgqx-r2hp-jr38 CVE-2023-45819 MODERATE about 2 years ago
### Impact A [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) vulnerability was discovered in TinyMCE’s Notification Mana...
npm nuget packagist
No PRs yet
TinyMCE mXSS vulnerability in undo/redo, getContent API, resetContent API, and Autosave plugin
GHSA-v65r-p3vv-jjfv CVE-2023-45818 MODERATE about 2 years ago
### Impact A [mutation cross-site scripting](https://researchgate.net/publication/266654651_mXSS_attacks_Attacking_well-secured_web-applications_by...
npm nuget packagist
No PRs yet
Bunkum tokens cached in the AuthenticationService are susceptible to a use-after-free
GHSA-jrf2-h5j6-3rrq CVE-2023-45814 MODERATE about 2 years ago
### Impact First, a little bit of background. So, in the beginning, Bunkum's `AuthenticationService` only supported injecting `IUser`s. However, as...
nuget
No PRs yet