Data

Tools

Indexes

Applications

Experiments

Dependabot

An open index of dependabot pull requests across open source projects.

Security Advisories

Browse security advisories and track which Dependabot PRs address them.

RSS Feed

25,050

Total Advisories

1,846

With Dependabot PRs

3,534

Critical Severity

8,712

High Severity

Clear All Filters
vantage6 may create unencrypted tasks in encrypted collaboration
GHSA-rjmv-52mp-gjrr CVE-2024-22193 LOW almost 2 years ago
### Impact There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accident...
pypi
No PRs yet
vantage6 vulnerable to username timing attack
GHSA-45gq-q4xh-cp53 CVE-2024-21671 LOW almost 2 years ago
### Impact It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks ### Worka...
pypi
No PRs yet
Unauthenticated Nonce Increment in snow
GHSA-7g9j-g5jg-3vv3 CVE-2024-58265 LOW almost 2 years ago
### Impact There was a logic bug where unauthenticated payloads could still cause a nonce increment in snow's internal state. For an attacker with ...
cargo
3
Dependabot PRs
Non-constant time webhook token comparison in Jenkins GitLab Branch Source Plugin
GHSA-f67f-2j6r-m4c9 CVE-2024-23903 LOW almost 2 years ago
Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier does not use a constant-time comparison function when checking whether the prov...
maven
No PRs yet
changedetection.io API endpoint is not secured with API token
GHSA-hcvp-2cc7-jrwr CVE-2024-23329 LOW almost 2 years ago
### Summary API endpoint `/api/v1/watch/<uuid>/history` can be accessed by any unauthorized user. ### Details WatchHistory resource does not hav...
pypi
No PRs yet
Multiple issues involving quote API in shlex
GHSA-r7qv-8r2h-pg27 CVE-2024-58266 LOW almost 2 years ago
## Issue 1: Failure to quote characters Affected versions of this crate allowed the bytes `{` and `\xa0` to appear unquoted and unescaped in comma...
cargo
43
Dependabot PRs
11%
Merged
ferris-says has undefined behavior when not using UTF-8
GHSA-v363-rrf2-5fmj LOW almost 2 years ago
Affected versions receive a `&[u8]` from the caller through a safe API, and pass it directly to the unsafe `str::from_utf8_unchecked` function. Th...
cargo
No PRs yet
Breaking unlinkability in Identity Mixer using malicious keys
GHSA-2q6j-gqc4-4gw3 CVE-2022-31021 LOW almost 2 years ago
# CL Signatures Issuer Key Correctness Proof lacks of prime strength checking A weakness in the Hyperledger AnonCreds specification that is not mi...
cargo
No PRs yet
Minor fix to previous patch for CVE-2022-35918
GHSA-8qw9-gf7w-42x5 LOW almost 2 years ago
### Impact The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed...
pypi
No PRs yet
cdo-local-uuid vulnerable to insertion of artifact derived from developer's Present Working Directory into demonstration code
GHSA-rgrf-6mf5-m882 CVE-2024-22194 LOW almost 2 years ago
### Impact _What kind of vulnerability is it? Who is impacted?_ An information leakage vulnerability is present in [`cdo-local-uuid`](https://pypi...
pypi
No PRs yet
Apache Answer Race Condition vulnerability
GHSA-f899-4mr4-fqpv CVE-2023-49619 LOW almost 2 years ago
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Answer. This issue affects Apa...
go
No PRs yet
The DES/3DES cipher was used as part of the TLS protocol by installation tools
GHSA-7xg2-83f8-39mr LOW almost 2 years ago
### Impact _What kind of vulnerability is it? Who is impacted?_ The Karmada components deployed with `karmadactl`, `karma-operator`, and `helm cha...
go
No PRs yet
Gila CMS SQL Injection vulnerability
GHSA-3pfj-g4wr-qj3j CVE-2020-26625 LOW almost 2 years ago
A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the...
packagist
No PRs yet
Gila CMS SQL Injection vulnerability
GHSA-4vf6-2rmx-fgqx CVE-2020-26624 LOW almost 2 years ago
A SQL injection vulnerability was discovered in Gila CMS 1.15.4 and earlier which allows a remote attacker to execute arbitrary web scripts via the...
packagist
No PRs yet
Winter CMS Local File Inclusion through Server Side Template Injection
GHSA-2x7r-93ww-cxrq CVE-2023-52085 LOW almost 2 years ago
### Impact Users with access to backend forms that include a [ColorPicker FormWidget](https://wintercms.com/docs/v1.2/docs/backend/forms#color-pick...
packagist
No PRs yet
Mattermost allows demoted guests to change group names
GHSA-9w97-9rqx-8v4j CVE-2023-50333 LOW almost 2 years ago
Mattermost fails to update the permissions of the current session for a user who was just demoted to guest, allowing freshly demoted guests to chan...
go
No PRs yet
Mattermost Cross-site Scripting vulnerability
GHSA-h3gq-j7p9-x3p4 CVE-2023-7113 LOW almost 2 years ago
Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.
go
No PRs yet
Winter CMS Stored XSS through Backend ColorPicker FormWidget
GHSA-43w4-4j3c-jx29 CVE-2023-52084 LOW almost 2 years ago
### Impact Users with access to backend forms that include a [ColorPicker FormWidget](https://wintercms.com/docs/v1.2/docs/backend/forms#color-pick...
packagist
No PRs yet
Winter CMS Stored XSS through privileged upload of Media Manager file followed by renaming
GHSA-4wvw-75qh-fqjp CVE-2023-52083 LOW almost 2 years ago
### Impact Users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media...
packagist
No PRs yet
Nautobot missing object-level permissions enforcement when running Job Buttons
GHSA-vf5m-xrhm-v999 CVE-2023-51649 LOW almost 2 years ago
### Impact When submitting a Job to run via a Job Button, only the model-level `extras.run_job` permission is checked (i.e., does the user have pe...
pypi
No PRs yet
Authenticated Blind SSRF in automad/automad
GHSA-q5q3-qm26-9jwm CVE-2023-7037 LOW almost 2 years ago
automad up to 1.10.9 is vulnerable to an authenticated blind server-side request forgery in `importUrl` as the `import` function on the `FileContro...
packagist
No PRs yet
yii2-authclient vulnerable to possible timing attack on string comparison in OAuth1, OAuth2 and OpenID Connect implementation
GHSA-w8vh-p74j-x9xp CVE-2023-50708 LOW almost 2 years ago
### Impact _What kind of vulnerability is it? Who is impacted?_ Original Report: > The Oauth1/2 "state" and OpenID Connect "nonce" is vulnerable ...
packagist
No PRs yet
nvdApiKey is logged in debug mode
GHSA-qqhq-8r2c-c3f5 LOW about 2 years ago
### Summary The value of `nvdApiKey` configuration parameter is logged in clear text in debug mode. ### Details The NVD API key is a kind of secre...
maven
1
Dependabot PRs
Ref methods into_ref, into_mut, into_slice, and into_slice_mut are unsound when used with cell::Ref or cell::RefMut
GHSA-3mv5-343c-w2qg LOW about 2 years ago
*This advisory is also published as [RUSTSEC-2023-0074](https://rustsec.org/advisories/RUSTSEC-2023-0074.html).* The `Ref` methods `into_ref`, `in...
cargo
18
Dependabot PRs
17%
Merged
Broken access control in Silverpeas
GHSA-whgv-6j78-5rh2 CVE-2023-47320 LOW about 2 years ago
Silverpeas Core 6.3.1 is vulnerable to Incorrect Access Control. An attacker with low privileges is able to execute the administrator-only function...
maven
No PRs yet
Unauthenticated db-file-storage views
GHSA-75mc-3pjc-727q CVE-2023-50263 LOW about 2 years ago
### Impact In Nautobot 1.x and 2.0.x, the URLs `/files/get/?name=...` and `/files/download/?name=...` are used to provide admin access to files t...
pypi
No PRs yet
Stored XSS via SVG File Upload
GHSA-6xmx-85x3-4cv2 CVE-2023-49279 LOW about 2 years ago
#### Impact A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media di...
nuget
No PRs yet
Brute force exploit can be used to collect valid usernames
GHSA-7x74-h8cw-qhxq CVE-2023-49278 LOW about 2 years ago
#### Impact A brute force exploit that can be used to collect valid usernames is possible. #### Explanation of the vulnerability It's a brute for...
nuget
No PRs yet
SMTP misconfiguration leading to "Forgot Password" exploit that leaks registered user email.
GHSA-8qp8-9rpw-j46c CVE-2023-49274 LOW about 2 years ago
#### Impact A user enumeration attack is possible when SMTP is not setup correctly, but reset password is enabled #### Explanation of the vulnerab...
nuget
3
Dependabot PRs
Using the directory back payload (“/../”) in a package name allows placement of package in other folders.
GHSA-6324-52pr-h4p5 CVE-2023-49089 LOW about 2 years ago
#### Impact Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. #### E...
nuget
3
Dependabot PRs
Backoffice User can bypass "Publish" restriction
GHSA-335x-5wcm-8jv2 CVE-2023-48227 LOW about 2 years ago
#### Impact Backoffice users with send for approval permission but not publish permission are able to publish in some scenarios. #### Explanation ...
nuget
No PRs yet
Possible injection of HTML into user invite mails
GHSA-xxc6-35r7-796w CVE-2023-38694 LOW about 2 years ago
#### Impact A user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. #### Explana...
nuget
No PRs yet
Stale copy of the public suffix list
GHSA-w4x6-hh3x-wjrx LOW about 2 years ago
We have identified that this project contains an out-of-date version of the Public Suffix List (https://publicsuffix.org/). We are carrying out res...
nuget
No PRs yet
eventing-gitlab vulnerable to denial of service, caused by improper enforcement of the timeout on individual read operations
GHSA-99jv-8292-2hpm LOW about 2 years ago
### Impact The eventing-gitlab cluster-local server doesn't set `ReadHeaderTimeout`‬‭ which could lead do a DDoS‬ ‭attack, where a large group of ...
go
No PRs yet
dbt-core's secret env vars written to package-lock.json in plaintext
GHSA-j4g3-3q8x-jxqp LOW about 2 years ago
### Impact When used to pull source code from a private repository using a Personal Access Token (PAT), some versions of dbt-core write a URL with...
pypi
No PRs yet
Microweber missing standardized error handling mechanism
GHSA-9r6p-hg4g-5gxp CVE-2023-6599 LOW about 2 years ago
Missing Standardized Error Handling Mechanism in GitHub repository microweber/microweber prior to 2.0.0.
packagist
No PRs yet
eventing-github vulnerable to denial of service caused by improper enforcement of the timeout on individual read operations
GHSA-v7hc-87jc-qrrr LOW about 2 years ago
### Impact The eventing-github cluster-local server doesn't set `ReadHeaderTimeout`‬‭ which could lead do a DDoS‬ ‭attack, where a large group of ...
go
No PRs yet
PyDrive2's unsafe YAML deserialization in LoadSettingsFile allows arbitrary code execution
GHSA-v5f6-hjmf-9mc5 CVE-2023-49297 LOW about 2 years ago
### Summary Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution ...
pypi
No PRs yet
Canonical LXD documentation improvement to make clear restricted.devices.disk=allow without restricted.devices.disk.paths also allows shift=true
GHSA-x9qq-236j-gj97 LOW about 2 years ago
### Summary If a user has restricted access to a project that is configured with `restricted=true`, they can gain root access on the system by cre...
go
No PRs yet
Keycloak vulnerable to LDAP Injection on UsernameForm Login
GHSA-8hc5-rmgf-qx6p CVE-2022-2232 LOW about 2 years ago
A flaw was found in the Keycloak package. This flaw allows an attacker to benefit from an LDAP query and access existing usernames in the server.
maven
No PRs yet
google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability
GHSA-4233-7q5q-m7p6 CVE-2023-48711 LOW about 2 years ago
### Summary A Server-Side Request Forgery (SSRF) Vulnerability is present in applications utilizing the `google-translate-api-browser` package and ...
npm
No PRs yet
Mattermost Injection vulnerability
GHSA-jcgv-3pfq-j4hr CVE-2023-35075 LOW about 2 years ago
Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTM...
go
No PRs yet
Exposure of Sensitive Information in Elastic APM .NET Agent
GHSA-hx93-gc73-5rpr CVE-2021-22143 LOW about 2 years ago
The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent...
nuget
No PRs yet
Concrete CMS Cross-site Scripting vulnerability
GHSA-36fr-3wg8-q5v8 CVE-2023-48649 LOW about 2 years ago
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.
packagist
No PRs yet
Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks
GHSA-xx9p-xxvh-7g8j CVE-2023-47641 LOW about 2 years ago
### Impact Aiohttp has a security vulnerability regarding the inconsistent interpretation of the http protocol. As we know that HTTP/1.1 is persis...
pypi
No PRs yet
Information Disclosure in typo3/cms-install tool
GHSA-p2jh-95jg-2w55 CVE-2023-47126 LOW about 2 years ago
> ### CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C` (3.5) ### Problem The login screen of the standalone install tool disclos...
packagist
No PRs yet
gnark's range checker gadget allows wider inputs up to word alignment
GHSA-rjjm-x32p-m3f7 LOW about 2 years ago
### Impact gnark provides a gadget in the standard library to allow optimized checking of the bitwidth of the inputs. The gadget works by construc...
go
No PRs yet
Moodle Exposure of Sensitive Information to an Unauthorized Actor vulnerability
GHSA-jr83-8x65-xcr5 CVE-2023-5551 LOW about 2 years ago
Separate Groups mode restrictions were not honoured in the forum summary report, which would display users from other groups.
packagist
No PRs yet
Signing DynamoDB Sets when using the AWS Database Encryption SDK.
GHSA-72fp-w44g-625q LOW about 2 years ago
### Impact This advisory addresses an issue when a DynamoDB Set attribute is marked as SIGN_ONLY in the AWS Database Encryption SDK (DB-ESDK) for D...
maven
No PRs yet
slsa-verifier vulnerable to mproper validation of npm's publish attestations
GHSA-r2xv-vpr2-42m9 LOW about 2 years ago
### Summary `slsa-verifier<=2.4.0` does not correctly verify npm's [publish](https://github.com/npm/attestation/tree/main/specs/publish/v0.1) atte...
go
No PRs yet