CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-43509
https://notcve.org/view.php?id=CVE-2021-43509
01 Feb 2022 — SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the id parameter in view-service.php. Se presenta una vulnerabilidad de inyección SQL en Sourcecodester Simple Client Management System versión 1.0, por medio del parámetro id en el archivo view-service.php • https://github.com/r4hn1/Simple-Client-Management-System-Exploit/blob/main/CVE-2021-43509 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 3CVE-2021-23444 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2021-23444
21 Sep 2021 — This affects the package jointjs before 3.4.2. A type confusion vulnerability can lead to a bypass of CVE-2020-28480 when the user-provided keys used in the path parameter are arrays in the setByPath function. Esto afecta al paquete jointjs versiones anteriores a 3.4.2. Una vulnerabilidad de confusión de tipo puede conllevar a una omisión de CVE-2020-28480 cuando las claves proporcionadas por el usuario usadas en el parámetro path son arrays en la función setByPath • https://github.com/clientIO/joint/commit/e5bf89efef6d5ea572d66870ffd86560de7830a8 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41317
https://notcve.org/view.php?id=CVE-2021-41317
17 Sep 2021 — XSS Hunter Express before 2021-09-17 does not properly enforce authentication requirements for paths. XSS Hunter Express versiones anteriores al 17-09-2021, no aplica apropiadamente los requisitos de autenticación para las rutas • https://docs.google.com/document/d/12rq4YIFZLSmZlEsq7d7hYCI1qO5xyIxA1Wrs1m4y9-4/preview • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-21421 – ApiKey secret could be revelated on network issue
https://notcve.org/view.php?id=CVE-2021-21421
01 Apr 2021 — node-etsy-client is a NodeJs Etsy ReST API Client. Applications that are using node-etsy-client and reporting client error to the end user will offer api key value too This is fixed in node-etsy-client v0.3.0 and later. node-etsy-client es un cliente API de NodeJs Etsy ReST. Las aplicaciones que usan node-etsy-client y reportan errores del cliente al usuario final también ofrecerán un valor de clave de la api. Esto se corrigió en node-etsy-client v0.3.0 y posteriores. • https://github.com/creharmony/node-etsy-client/commit/b4beb8ef080366c1a87dbf9e163051a446acaa7d • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 9.8EPSS: 11%CPEs: 1EXPL: 1CVE-2021-27185
https://notcve.org/view.php?id=CVE-2021-27185
10 Feb 2021 — The samba-client package before 4.0.0 for Node.js allows command injection because of the use of process.exec. El paquete samba-client versiones anteriores a 4.0.0 para Node.js, permite una inyección de comandos debido al uso del archivo process.exec • https://advisory.checkmarx.net/advisory/CX-2021-4302 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15141 – Path Traversal in openapi-python-client
https://notcve.org/view.php?id=CVE-2020-15141
14 Aug 2020 — In openapi-python-client before version 0.5.3, there is a path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk. En openapi-python-client versiones anteriores a 0.5.3, se presenta una vulnerabilidad de salto de ruta. Si un usuario generó un cliente usando un documento OpenAPI diseñado maliciosamente, es posible que los archivos generados sean colocados en ubicaciones arbitrarias ... • https://github.com/triaxtec/openapi-python-client/blob/main/CHANGELOG.md#053---2020-08-13 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15142 – Arbitrary Code Generation
https://notcve.org/view.php?id=CVE-2020-15142
14 Aug 2020 — In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution. En openapi-python-client versiones anteriores a 0.5.3, los clientes generados con un Documento OpenAPI diseñado maliciosamente pueden generar código Python arbitrario. Una ejecución posterior de este cliente malicioso es una ejecución de código arbitraria. • https://github.com/triaxtec/openapi-python-client/blob/main/CHANGELOG.md#053---2020-08-13 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11021 – HTTP request which redirect to another hostname do not strip authorization header in Actions Http-Client
https://notcve.org/view.php?id=CVE-2020-11021
29 Apr 2020 — Actions Http-Client (NPM @actions/http-client) before version 1.0.8 can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: 1. make an http request with an authorization header 2. that request leads to a redirect (302) and 3. the redirect url redirects to another domain or hostname Then the authorization header will get passed to the other domain. The problem is fixed in version 1.0.8. Actions Http-Client... • https://github.com/ossf-cve-benchmark/CVE-2020-11021 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-17590
https://notcve.org/view.php?id=CVE-2019-17590
26 Nov 2019 — The csrf_callback function in the CSRF Magic library through 2016-03-27 is vulnerable to CSRF protection bypass as it allows one to tamper with the csrf token values. A remote attacker can exploit this by crafting a malicious page and dispersing it to a victim via social engineering, enticing them to click the link. Once the user/victim clicks the "try again" button, the attacker can take over the account and perform unintended actions on the victim's behalf. NOTE: A third-party maintainer has stated that t... • https://pastebin.com/01tDgq7u • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 1CVE-2019-15224
https://notcve.org/view.php?id=CVE-2019-15224
19 Aug 2019 — The rest-client gem 1.6.10 through 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions <=1.6.9 and >=1.6.14 are unaffected. La gema rest-client versión 1.6.10 a 1.6.13 para Ruby, distribuida en RubyGems.org, incluía una puerta trasera de ejecución de código insertada por un tercero. Las versiones <-1.6.9 y >-1.6.14 no se ven afectadas. • https://github.com/chef-cft/inspec_cve_2019_15224 • CWE-94: Improper Control of Generation of Code ('Code Injection') •