OSS Index Helpclose
An open index of open source

 Welcome to the NuGet Start Page

Posted by OSS-Index on May 15, 2016

Quick access to NuGet auditing tools, search, and recent NuGet activity on OSS Index.

 Recent news...

NuGet package vulnerability: ZeroClipboard

[Duplicate] Filtering query params out of LoaderInfo parameters
Sun Jun 25 23:06:21 EDT 2017

See https://ossindex.net/resource/vulnerability/8402731237

NuGet package vulnerability: ZeroClipboard

Possible Cross Site Scripting (XSS)
Sun Jun 25 23:03:06 EDT 2017

Some additional XSS hardening has been added to the SWF by verifying that ExternalInterface.objectID matches the expected value.

NuGet package vulnerability: Umbraco.Cms.v1

Possible Cross Site Scripting (XSS) in PermissionEditor
Thu May 18 02:31:44 EDT 2017

Affected versions of this package have a possible cross site scripting vulnerability due to a lack of escaping of the id request query attribute in PermissionEditor.aspx

NuGet package vulnerability: SquishIt

[Dependency] Closure minifier
Sun May 07 23:58:52 EDT 2017

The closure minifier dependency has known vulnerabilities.

NuGet package vulnerability: grpc.cpp

Uninitialized memory
Sun May 07 23:13:27 EDT 2017

The package has an uninitialized memory bug.

NuGet package vulnerability: grpc.cpp

Buffer overflow
Sun May 07 23:10:01 EDT 2017

> [An iterator] references raw slice data that may not (and probably will not) be null terminated, causing a buffer overflow error and crashes from memory corruption. A string needs to be created using the appropriate bounds. > > – github.com

NuGet package vulnerability: gitlinktask

[Dependency] libgit2sharp
Sun May 07 22:59:26 EDT 2017

The libgit2sharp dependency has a known vulnerability

NuGet package vulnerability: Pdfbox

Authentication Bypass
Sun May 07 22:46:15 EDT 2017

> Affected versions of the package are vulnerable to Authentication Bypass. The ReadOnly permissions are not called in the StandardSecurityHandler, allowing all users to edit the PDF file although the are not the owners. > > – snyk.io

NuGet package vulnerability: ElasticSearch

Arbitrary Code Execution
Sun May 07 22:45:41 EDT 2017

> Affected versions of the package are vulnerable to Remote Code Execution. Elasticsearch versions prior to 1.6.1 are vulnerable to an engineered attack on its transport protocol that enables remote code execution. This issue is related to the Groovy announcement in CVE-2015-3253. > > – snyk.io

NuGet package vulnerability: ElasticSearch

Arbitrary code execution
Sun May 07 22:43:49 EDT 2017

> Affected versions of the package are vulnerable to Arbitrary Code Execution attacks that use Elasticsearch to modify files read and executed by other applications. > > – snyk.io