Vulnerabilities > Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-03-02 | CVE-2020-5249 | Injection vulnerability in Puma In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. | 6.5 |
| 2020-02-24 | CVE-2020-9382 | Injection vulnerability in Widgets Project Widgets An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. | 5.4 |
| 2020-02-24 | CVE-2020-5245 | Injection vulnerability in multiple products Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2. | 8.8 |
| 2020-02-20 | CVE-2014-4678 | Injection vulnerability in multiple products The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. | 9.8 |
| 2020-02-18 | CVE-2019-10795 | Injection vulnerability in Undefsafe Project Undefsafe undefsafe before 2.0.3 is vulnerable to Prototype Pollution. | 6.3 |
| 2020-02-18 | CVE-2019-10794 | Injection vulnerability in Component-Flatten Project Component-Flatten All versions of component-flatten are vulnerable to Prototype Pollution. | 6.3 |
| 2020-02-18 | CVE-2019-10793 | Injection vulnerability in Dot-Object Project Dot-Object dot-object before 2.1.3 is vulnerable to Prototype Pollution. | 6.3 |
| 2020-02-18 | CVE-2019-10792 | Injection vulnerability in Bodymen Project Bodymen bodymen before 1.1.1 is vulnerable to Prototype Pollution. | 6.3 |
| 2020-02-18 | CVE-2014-4967 | Injection vulnerability in Redhat Ansible Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a trailing " validate=" clause accompanied by a shell command. | 9.8 |
| 2020-02-18 | CVE-2014-4966 | Injection vulnerability in Redhat Ansible Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data. | 9.8 |