Snyk Security Database

nocodb is a NocoDB

Affected versions of this package are vulnerable to SQL Injection via the ARRAYSORT formula argument processing in Postgres-backed deployments. An attacker can execute arbitrary SQL commands and cause significant query delays by injecting malicious input into the direction argument, which is improperly validated and embedded into a raw SQL fragment during column creation and on every subsequent record read.

chromadb is a Chroma.

Affected versions of this package are vulnerable to Arbitrary Code Injection in the api/v2/tenants/default_tenant/databases/default_database/collections/{collection_id} endpoint when a malicious model repository is sent and trust_remote_code is set to true. An attacker can execute arbitrary code on the server by leveraging the UPDATE_COLLECTION permission and sending crafted requests.

Note: This is only exploitable if the attacker is authenticated and has the UPDATE_COLLECTION permission, and if trust_remote_code is enabled.

org.jenkins-ci.main:jenkins-core is an open source automation server.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the description field of a generic 'offline' cause set via the POST config.xml API. An attacker with Agent/Configure permission can execute arbitrary JavaScript in the context of other users by submitting specially crafted input.

Note:

• On Jenkins 2.539 and newer, LTS 2.541.1 and newer, enforcing Content Security Policy protection mitigates this vulnerability.