Total
22 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-32908 | 2025-04-15 | N/A | 7.5 HIGH | ||
| A flaw was found in libsoup. The HTTP/2 server in libsoup may not fully validate the values of pseudo-headers :scheme, :authority, and :path, which may allow a user to cause a denial of service (DoS). | |||||
| CVE-2024-12388 | 2025-03-20 | N/A | 6.5 MEDIUM | ||
| A vulnerability in binary-husky/gpt_academic version 310122f allows for a Regular Expression Denial of Service (ReDoS) attack. The application uses a regular expression to parse user input, which can take polynomial time to match certain crafted inputs. This allows an attacker to send a small malicious payload to the server, causing it to become unresponsive and unable to handle any requests from other users. | |||||
| CVE-2024-11169 | 2025-03-20 | N/A | 7.5 HIGH | ||
| An unhandled exception in danny-avila/librechat version 3c94ff2 can lead to a server crash. The issue occurs when the fs module throws an exception while handling file uploads. An unauthenticated user can trigger this exception by sending a specially crafted request, causing the server to crash. The vulnerability is fixed in version 0.7.6. | |||||
| CVE-2025-22870 | 2025-03-18 | N/A | 4.4 MEDIUM | ||
| Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. | |||||
| CVE-2025-25069 | 2025-02-13 | N/A | 6.5 MEDIUM | ||
| A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF. It is similiar to CVE-2016-10517 in Redis. This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0. Users are recommended to upgrade to version 2.11.1, which fixes the issue. | |||||
| CVE-2018-12123 | 1 Nodejs | 1 Node.js | 2024-12-13 | 4.3 MEDIUM | 4.3 MEDIUM |
| Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect. | |||||
| CVE-2023-32260 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Misinterpretation of Input vulnerability in OpenText™ Service Management Automation X (SMAX), OpenText™ Asset Management X (AMX), and OpenText™ Hybrid Cloud Management X (HCMX) products. The vulnerability could allow Input data manipulation.This issue affects Service Management Automation X (SMAX) versions: 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11, 2023.05; Asset Management X (AMX) versions: 2021.08, 2021.11, 2022.05, 2022.11, 2023.05; and Hybrid Cloud Management X (HCMX) versions: 2020.05, 2020.08, 2020.11, 2021.02, 2021.05, 2021.08, 2021.11, 2022.05, 2022.11, 2023.05. | |||||
| CVE-2023-32228 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
| A firmware bug which may lead to misinterpretation of data in the AMC2-4WCF and AMC2-2WCF allowing an adversary to grant access to the last authorized user. | |||||
| CVE-2023-0880 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | N/A | 8.3 HIGH |
| Misinterpretation of Input in GitHub repository thorsten/phpmyfaq prior to 3.1.11. | |||||
| CVE-2022-3224 | 1 Parse-url Project | 1 Parse-url | 2024-11-21 | N/A | 6.1 MEDIUM |
| Misinterpretation of Input in GitHub repository ionicabizau/parse-url prior to 8.1.0. | |||||
| CVE-2022-21672 | 1 Linuxfromscratch | 1 Make-ca | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| make-ca is a utility to deliver and manage a complete PKI configuration for workstations and servers. Starting with version 0.9 and prior to version 1.10, make-ca misinterprets Mozilla certdata.txt and treats explicitly untrusted certificates like trusted ones, causing those explicitly untrusted certificates trusted by the system. The explicitly untrusted certificates were used by some CAs already hacked. Hostile attackers may perform a MIM attack exploiting them. Everyone using the affected versions of make-ca should upgrade to make-ca-1.10, and run `make-ca -f -g` as the `root` user to regenerate the trusted store immediately. As a workaround, users may delete the untrusted certificates from /etc/pki/tls and /etc/ssl/certs manually (or by a script), but this is not recommended because the manual changes will be overwritten next time running make-ca to update the trusted anchor. | |||||
| CVE-2022-20915 | 1 Cisco | 1 Ios Xe | 2024-11-21 | N/A | 7.4 HIGH |
| A vulnerability in the implementation of IPv6 VPN over MPLS (6VPE) with Zone-Based Firewall (ZBFW) of Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper error handling of an IPv6 packet that is forwarded from an MPLS and ZBFW-enabled interface in a 6VPE deployment. An attacker could exploit this vulnerability by sending a crafted IPv6 packet sourced from a device on the IPv6-enabled virtual routing and forwarding (VRF) interface through the affected device. A successful exploit could allow the attacker to reload the device, resulting in a DoS condition. | |||||
| CVE-2022-1233 | 1 Uri.js Project | 1 Uri.js | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| URL Confusion When Scheme Not Supplied in GitHub repository medialize/uri.js prior to 1.19.11. | |||||
| CVE-2021-21366 | 2 Debian, Xmldom Project | 2 Debian Linux, Xmldom | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents. | |||||
| CVE-2021-1587 | 1 Cisco | 63 Nexus 3000, Nexus 3048, Nexus 31108pc-v and 60 more | 2024-11-21 | 4.3 MEDIUM | 8.6 HIGH |
| A vulnerability in the VXLAN Operation, Administration, and Maintenance (OAM) feature of Cisco NX-OS Software, known as NGOAM, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of specific packets with a Transparent Interconnection of Lots of Links (TRILL) OAM EtherType. An attacker could exploit this vulnerability by sending crafted packets, including the TRILL OAM EtherType of 0x8902, to a device that is part of a VXLAN Ethernet VPN (EVPN) fabric. A successful exploit could allow the attacker to cause an affected device to experience high CPU usage and consume excessive system resources, which may result in overall control plane instability and cause the affected device to reload. Note: The NGOAM feature is disabled by default. | |||||
| CVE-2021-0207 | 1 Juniper | 14 Ex2300, Ex3400, Ex4300 and 11 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An improper interpretation conflict of certain data between certain software components within the Juniper Networks Junos OS devices does not allow certain traffic to pass through the device upon receipt from an ingress interface filtering certain specific types of traffic which is then being redirected to an egress interface on a different VLAN. This causes a Denial of Service (DoS) to those clients sending these particular types of traffic. Such traffic being sent by a client may appear genuine, but is non-standard in nature and should be considered as potentially malicious, and can be targeted to the device, or destined through it for the issue to occur. This issues affects IPv4 and IPv6 traffic. An indicator of compromise may be found by checking log files. You may find that traffic on the input interface has 100% of traffic flowing into the device, yet the egress interface shows 0 pps leaving the device. For example: [show interfaces "interface" statistics detail] Output between two interfaces would reveal something similar to: Ingress, first interface: -------------------- Interface Link Input packets (pps) Output packets (pps) et-0/0/0 Up 9999999999 (9999) 1 (0) -------------------- Egress, second interface: -------------------- Interface Link Input packets (pps) Output packets (pps) et-0/0/1 Up 0 (0) 9999999999 (0) -------------------- Dropped packets will not show up in DDoS monitoring/protection counters as issue is not caused by anti-DDoS protection mechanisms. This issue affects: Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S7 on NFX250, QFX5K Series, EX4600; 17.4 versions prior to 17.4R2-S11, 17.4R3-S3 on NFX250, QFX5K Series, EX4600; 18.1 versions prior to 18.1R3-S9 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4600; 18.2 versions prior to 18.2R3-S3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600; 18.3 versions prior to 18.3R3-S1 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.1 versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.2 versions prior to 19.2R1-S5, 19.2R2 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.3 versions prior to 19.3R2-S3, 19.3R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.4 versions prior to 19.4R1-S2, 19.4R2 on NFX250, NFX350, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series. This issue does not affect Junos OS releases prior to 17.2R2. | |||||
| CVE-2020-29511 | 2 Golang, Netapp | 2 Go, Trident | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | |||||
| CVE-2020-29510 | 2 Golang, Netapp | 2 Go, Trident | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| The encoding/xml package in Go versions 1.15 and earlier does not correctly preserve the semantics of directives during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | |||||
| CVE-2020-29509 | 2 Golang, Netapp | 2 Go, Trident | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| The encoding/xml package in Go (all versions) does not correctly preserve the semantics of attribute namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications. | |||||
| CVE-2020-27846 | 4 Fedoraproject, Grafana, Redhat and 1 more | 6 Fedora, Grafana, Enterprise Linux and 3 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| A signature verification vulnerability exists in crewjam/saml. This flaw allows an attacker to bypass SAML Authentication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | |||||