Malicious code in fing-react-components (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (4e606602dc2c4b6d0550d90156a68cf31799054412bac90062d266e5bcad3d76) The OpenSSF Package Analysis project identified 'fing-react-components' @ 1.15.0 (npm) as malicious. It is considered malicious because: The...
7.1AI Score
Malicious code in @wdp-gov/catalog-serialization-engine (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (279671687dd3fcc407084cb5aeaab3c707cf47164e8b81c3f1665b61ce19dfd9) The OpenSSF Package Analysis project identified '@wdp-gov/catalog-serialization-engine' @ 3.0.195 (npm) as malicious. It is considered malicious...
7.1AI Score
Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project. Notes Author| Note ---|--- alexmurray | Only affectes GitLab...
7.5CVSS
6.6AI Score
0.001EPSS
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit...
8.7CVSS
5.7AI Score
0.0004EPSS
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members...
5.3CVSS
6.4AI Score
0.0005EPSS
Malicious code in cptalertbox (npm)
-= Per source details. Do not edit below this line.=- Source: checkmarx (88c1f10ff1d7a9b89a479bd30b9548a7adc533c677f7913c88563b08e9d28814) Malicious packages campaign since 2021 targeting developers, steals source code and secrets Source: ossf-package-analysis...
7.2AI Score
Malicious code in nt4padyp3 (PyPI)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (6999b5e1cf4a39c5ee73a61b953c0592465267806362b2485d61f8372242370d) The OpenSSF Package Analysis project identified 'nt4padyp3' @ 0.0.2 (pypi) as malicious. It is considered malicious because: The package executes...
7.4AI Score
GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 9.5.13 and 10.0.7, a SQL Injection vulnerability allow users with access rights to statistics or reports to extract all data from database and, in some cases, write a webshell on the server....
9.6CVSS
8.2AI Score
0.001EPSS
According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is version 8.2.x prior to 8.6.0. It is, therefore, affected by an information disclosure vulnerability due to improper authorization checks. An authenticated, remote attacker can exploit...
4.3CVSS
4.6AI Score
0.001EPSS
Missing Authorization vulnerability in impleCode Reviews Plus.This issue affects Reviews Plus: from n/a through...
4.3CVSS
6.8AI Score
0.0004EPSS
pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious pdm.lock file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project...
7.8CVSS
7.8AI Score
0.001EPSS
The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level...
4.3CVSS
5.7AI Score
0.0004EPSS
The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level...
4.3CVSS
6.6AI Score
0.0004EPSS
A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this...
8.8CVSS
9AI Score
0.003EPSS
Malicious code in blue-oval-theme (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (c708f4696b33e43ba9ca5b70bafa9ac82b1ee694df0caa84f7283885ff8d5544) The OpenSSF Package Analysis project identified 'blue-oval-theme' @ 1.0.0 (npm) as malicious. It is considered malicious because: The package...
7.3AI Score
The WP Customer Reviews WordPress plugin before 3.7.1 does not validate a parameter allowing contributor and above users to redirect a page to a malicious...
9.2AI Score
0.0004EPSS
Quiz And Survey Master < 9.0.2 - Contributor+ SQLi
Description The plugin is vulnerable does not validate and escape the question_id parameter in the qsm_bulk_delete_question_from_database AJAX action, leading to a SQL injection exploitable by Contributors and above role PoC 1) You will need a valid nonce for deletion of quiz questions. 2) Sign in....
7.7AI Score
EPSS
Missing Authorization vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager : from n/a through...
6.3CVSS
7.2AI Score
0.0004EPSS
Malicious code in donuts.node-build (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (6b8d6fee5827de9688cc9b83812dc32e54e33531a0bd2fd179dc3e2935564dc7) The OpenSSF Package Analysis project identified 'donuts.node-build' @ 99.99.104 (npm) as malicious. It is considered malicious because: - The...
7.3AI Score
Malicious code in webquickauth (PyPI)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (e838cec17c1006b567e2a70f9554fd2a040c9fb0cfdf8d753e81548c1ea02c49) The OpenSSF Package Analysis project identified 'webquickauth' @ 2.3.5 (pypi) as malicious. It is considered malicious because: The package...
7.4AI Score
An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to....
8.8CVSS
8.9AI Score
0.003EPSS
The Reviews and Rating – Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
6.4CVSS
5.8AI Score
0.0004EPSS
Animated AL List <= 1.0.6 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...
6AI Score
0.0004EPSS
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions there is a SQL injection vulnerability which is possible on login page. No user credentials are required to exploit this vulnerability......
9.8CVSS
7.6AI Score
0.002EPSS
Malicious code in draconianspeed (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (b1212e40bb57fce7672f50431153645b13624cc1e2061b44c0b91fec275e7853) The OpenSSF Package Analysis project identified 'draconianspeed' @ 5.0.0 (npm) as malicious. It is considered malicious because: The package...
7.4AI Score
Malicious code in twentynineteen (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (41e718fa7d54fba600dedc033d1d1c93b282fdae82403869bf77c53363acf842) The OpenSSF Package Analysis project identified 'twentynineteen' @ 2.5.1 (npm) as malicious. It is considered malicious because: The package...
7AI Score
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (b402206ef266d63280b9361618b5ece377520d29080572d05c4a7dd0010f1e54) The OpenSSF Package Analysis project identified 'itfd' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package communicates...
7.3AI Score
Malicious code in @yu-life/yulife-bdd-framework (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (8dfe091de922cc251578223955b74b56ade98fa67b719bcaa584d3403602f992) The OpenSSF Package Analysis project identified '@yu-life/yulife-bdd-framework' @ 0.0.72 (npm) as malicious. It is considered malicious because: ...
7.3AI Score
[SECURITY] Fedora 40 Update: libopenmpt-0.7.8-1.fc40
libopenmpt is a cross-platform C++ and C library to decode tracked music files (modules) into a raw PCM audio stream. libopenmpt is based on the player code of the OpenMPT project (Open ModPlug Tracker). In order to avoid code base fragmentation, libopenmpt is developed in the same source code...
7.4AI Score
[SECURITY] Fedora 39 Update: libopenmpt-0.7.8-1.fc39
libopenmpt is a cross-platform C++ and C library to decode tracked music files (modules) into a raw PCM audio stream. libopenmpt is based on the player code of the OpenMPT project (Open ModPlug Tracker). In order to avoid code base fragmentation, libopenmpt is developed in the same source code...
7.4AI Score
SP Project & Document Manager <= 4.71 - Subscriber+ File Download via IDOR
Description The plugin lacks proper access controllers and allows a logged in user to view and download files belonging to another...
6.6AI Score
0.0004EPSS
Malicious code in pd-ui-kit (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (b46ebcb2f76102916a1ab764b5af360b8c6cdd1dc56a269538132bcc4e307983) The OpenSSF Package Analysis project identified 'pd-ui-kit' @ 1.5.1 (npm) as malicious. It is considered malicious because: The package...
7.3AI Score
Malicious code in quickwebbasicauth (PyPI)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (e8ebea7be43f522c7fd45c4793bcac3b33c5ffafa2dc9ea3e0f28657bc650819) The OpenSSF Package Analysis project identified 'quickwebbasicauth' @ 2.3.2 (pypi) as malicious. It is considered malicious because: The package...
7.4AI Score
Malicious code in @wdpx/themes (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (027f3f6ecca8b2d2bd6a4d8c6b358eb1ea8ea1f094cfe3d2606095b6b17d822f) The OpenSSF Package Analysis project identified '@wdpx/themes' @ 3.0.2 (npm) as malicious. It is considered malicious because: The package...
7.1AI Score
Malicious code in melichat-component-library (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (1d7d152708054848a62109924487b7dcacac50e054b19a8682b3b0b26b279e6b) The OpenSSF Package Analysis project identified 'melichat-component-library' @ 1.1.0 (npm) as malicious. It is considered malicious because: The...
7.1AI Score
Malicious code in iobeya-time-utils (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (5cc94a15fd9feb4f7fd5146415061bfe386fd2d185f1e0d80fc3ecd40ce7adb2) The OpenSSF Package Analysis project identified 'iobeya-time-utils' @ 3.0.0 (npm) as malicious. It is considered malicious because: The package...
7.3AI Score
Malicious code in comet-chat-react-ui-kit (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (9a6f38c4d9dd2413e237c8d146d5fcf11d04f613910b552a32a52b3e4cf199f6) The OpenSSF Package Analysis project identified 'comet-chat-react-ui-kit' @ 1.0.1 (npm) as malicious. It is considered malicious because: The...
7.4AI Score
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.8, Computer Virtual Machine form and GLPI inventory request can be used to perform a SQL injection attack. Version 10.0.8 has a patch for this issue. As a workaround, one may disable native.....
9.8CVSS
8AI Score
0.001EPSS
The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_testimonials_option_callback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to...
5.3CVSS
5.5AI Score
0.001EPSS
GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In affected versions all GLPI instances with the native inventory used may leak sensitive information. The feature to get refused file is not authenticated......
5.3CVSS
6.5AI Score
0.002EPSS
GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS...
6.2CVSS
6AI Score
0.001EPSS
Malicious code in storefront-h5-sdk (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (3bdecd59d5667e506fd4f66d29c575454020e37384211ce8a27e463cd6971298) The OpenSSF Package Analysis project identified 'storefront-h5-sdk' @ 1.0.0 (npm) as malicious. It is considered malicious because: The package...
7.1AI Score
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This....
4.3CVSS
6.4AI Score
0.0004EPSS
Simple AL Slider <= 1.2.10 - Reflected XSS
Description The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...
6AI Score
0.0004EPSS
Malicious code in parallel-workers (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (abf4ac32d4bbbf2bca51efed2166f670c707230f7da2b87c1318cbe8ca9dade1) The OpenSSF Package Analysis project identified 'parallel-workers' @ 99.99.101 (npm) as malicious. It is considered malicious because: - The...
7.3AI Score
Malicious code in odyssey-lint-staged (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (0b408f794010d1926bb9841d26fd28c91c97d8f11d71acea664c92ccb5a06a54) The OpenSSF Package Analysis project identified 'odyssey-lint-staged' @ 9.9.5 (npm) as malicious. It is considered malicious because: The package...
7.3AI Score
Malicious code in mesbah-unclaim (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (263dd8e3a7c219627fe6ca196c18bb5262996c68f086fd118d74caec6e06aee1) The OpenSSF Package Analysis project identified 'mesbah-unclaim' @ 2.0.0 (npm) as malicious. It is considered malicious because: - The package...
7.3AI Score
Malicious code in tempomati-omega-69-emcuf7 (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (a012c605870034511688f664880e997bc8423cd7707f3de28326adc144f4fb4a) The OpenSSF Package Analysis project identified 'tempomati-omega-69-emcuf7' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The...
7.3AI Score
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This....
4.3CVSS
4.3AI Score
0.0004EPSS
Malicious code in tempomati-omega-5-emcuf311 (npm)
-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (865979d6590ceed06ce4e4e3bcc1ad05be4caec6967f82f7654fa9e709ca97fc) The OpenSSF Package Analysis project identified 'tempomati-omega-5-emcuf311' @ 1.0.1 (npm) as malicious. It is considered malicious because: - The.....
7.3AI Score