Go Exploits
72 exploits tracked across all sources.
Kubernetes ingress-nginx auth-tls-match-cn - Controller Code Execution
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
by Esonhugh
Typecho 1.3.0 - Stored Cross-Site Scripting
A stored cross-site scripting (XSS) vulnerability in Typecho v1.3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
by cyberaz0r
CVSS 9.0
Typecho 1.3.0 - Race Condition in Post Commenting Function
Typecho v1.3.0 was discovered to contain a race condition vulnerability in the post commenting function. This vulnerability allows attackers to post several comments before the spam protection checks if the comments are posted too frequently.
by cyberaz0r
CVSS 6.5
Ollama < 0.1.47 - Path Traversal via ZIP Archive Extraction
extractFromZipFile in model.go in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.
by pankass
Apache Tomcat 9.0.0-9.0.97, 10.1.0-M1-10.1.33, 11.0.0-M1-11.0.1 - Time-of-check Time-of-use Race Condition
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:
- running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
- running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
- running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)
Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
by SleepingBag945
Firewalla Box Software <1.979 - Command Injection
Multiple authenticated operating system (OS) command injection vulnerabilities exist in Firewalla Box Software
versions before 1.979. A physically close
attacker that is authenticated to the Bluetooth Low-Energy (BTLE) interface can use the network configuration service to inject commands in various configuration parameters including networkConfig.Interface.Phy.Eth0.Extra.PingTestIP, networkConfig.Interface.Phy.Eth0.Extra.DNSTestDomain, and networkConfig.Interface.Phy.Eth0.Gateway6. Additionally, because the configuration can be synced to the Firewalla cloud, the attacker may be able to persist access even after hardware resets and firmware re-flashes.
by xen0bit
Typecho 1.3.0 - Stored Cross-Site Scripting
A stored cross-site scripting (XSS) vulnerability in Typecho v1.3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
by cyberaz0r
Typecho 1.3.0 - Race Condition in Post Commenting Function
Typecho v1.3.0 was discovered to contain a race condition vulnerability in the post commenting function. This vulnerability allows attackers to post several comments before the spam protection checks if the comments are posted too frequently.
by cyberaz0r
Apache Traffic Server 8.0.0-8.1.9 9.0.0-9.2.3 - Denial of Service via HTTP/2 CONTINUATION Frames
HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.
Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases.
Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.
by lockness-Ko
Envoy < 1.26.8 - Denial of Service via HTTP/2 CONTINUATION Frame Flood
Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy's HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoy's header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic and culminating in denial of service through CPU exhaustion. Users should upgrade to version 1.29.3, 1.28.2, 1.27.4, or 1.26.8 to mitigate the effects of the CONTINUATION flood. As a workaround, disable HTTP/2 protocol for downstream connections.
by lockness-Ko
nghttp2 < 1.61.0 - Denial of Service via Unbounded HTTP/2 CONTINUATION Frames
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
by lockness-Ko
Envoy 1.29.0-1.29.1 - Denial of Service via HTTP/2 CONTINUATION Frame Flood
Envoy is a cloud-native, open-source edge and service proxy. In versions 1.29.0 and 1.29.1, theEnvoy HTTP/2 protocol stack is vulnerable to the flood of CONTINUATION frames. Envoy's HTTP/2 codec does not reset a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption. This can lead to denial of service through memory exhaustion. Users should upgrade to versions 1.29.2 to mitigate the effects of the CONTINUATION flood. Note that this vulnerability is a regression in Envoy version 1.29.0 and 1.29.1 only. As a workaround, downgrade to version 1.28.1 or earlier or disable HTTP/2 protocol for downstream connections.
by lockness-Ko
amphttp <unknown> - Buffer Overflow
amphp/http will collect CONTINUATION frames in an unbounded buffer and will not check a limit until it has received the set END_HEADERS flag, resulting in an OOM crash.
by lockness-Ko
modoboa < 2.0.4 - Authentication Bypass
Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.
by 7h3h4ckv157
CVSS 9.8
CWP login.php Unauthenticated RCE
login/index.php in CWP (aka Control Web Panel or CentOS Web Panel) 7 before 0.9.8.1147 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the login parameter.
by Mayank Deshmukh
CVSS 9.8
Casdoor < 1.13.1 - SQL Injection via Query API Parameters
The query API in Casdoor before 1.13.1 has a SQL injection vulnerability related to the field and value parameters, as demonstrated by api/get-organizations.
by Mayank Deshmukh
CVSS 7.5
ForgeRock OpenAM < 13.5.1 - Unauthenticated LDAP Injection via Webfinger Protocol
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.
by Charlton Trezevant
CVSS 7.5
INNEO Startup TOOLS 12.0.66.3784-13.0.70.3804 - Unauthenticated Path Traversal via sut_srv.exe Web Application
An issue was discovered in INNEO Startup TOOLS 2017 M021 12.0.66.3784 through 2018 M040 13.0.70.3804. The sut_srv.exe web application (served on TCP port 85) includes user input into a filesystem access without any further validation. This might allow an unauthenticated attacker to read files on the server via Directory Traversal, or possibly have unspecified other impact.
by Patrick Hener
CVSS 9.8
DrayTek Vigor2960/Vigor3900/Vigor300B Beta - Unauthenticated Remote Code Execution via mainfunction.cgi
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.
by 0xsha
CVSS 9.8
NetGain EM Plus 10.1.68 - Unauthenticated Remote Code Execution via script_test.jsp Content Parameter
NetGain EM Plus 10.1.68 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious parameters to the script_test.jsp endpoint. Attackers can send POST requests with shell commands embedded in the 'content' parameter to execute code and retrieve command output.
by azams
CVSS 9.8
Mikrotik WinBox 6.42 - Credential Disclosure (golang)
by Maxim Yefimenko
Elipse E3 < 3.2 - Denial of Service via HTTP Request Flooding
Elipse E3 3.x and earlier allows remote attackers to cause a denial of service (application crash and plant outage) via a rapid series of HTTP requests to index.html on TCP port 1681.
by firebitsbr
By Source