ZEROPATH WALL OF FAME
We're on a mission to secure the world's code.
All of the vulnerabilities listed have been found & fixed by ZeroPath. This selection represents a subset of vulnerabilities we've found in open source projects.
19
Open source vulnerabilities found by ZeroPath
+ 25 in the responsible disclosure process
CVE-2024-43035
2024-07-21
Local File Inclusion in Fonoster
A Local File Inclusion vulnerability was discovered in the Fonoster Voice Server, allowing access to system files via voice file paths due to incomplete path validation.
CVE TBD
2024-09-05
Unauthorized Access to Any User's Jobs in LibrePhotos
Access to other users' processing jobs due to missing authorization in job queue.
CVE TBD
2024-09-05
Token Refresh Vulnerability in LibrePhotos
Complete authentication bypass via improper token validation in the LibrePhotos project.
CVE TBD
2024-09-02
Unauthorized Conversation Deletion in RagFlow
Complete deletion of other users' chat history due to missing object-level authorization checks.
CVE TBD
2024-09-02
Unauthorized Canvas Deletion in RagFlow
Deletion of other users' visualization canvases due to insufficient IDOR protection on API endpoint.
CVE TBD
2024-09-02
Unauthorized Knowledge Base Access in RagFlow
Read access to other users' private knowledge bases due to missing tenant isolation in KB queries.
CVE TBD
2024-09-02
Unauthorized File Movement in RagFlow
Moving/deleting other users' uploaded files due to missing ACL checks in file operations.
CVE TBD
2024-09-02
Unauthorized Conversation Access in RagFlow
Reading other users' private conversations due to broken access control in chat retrieval.
CVE TBD
2024-09-02
Unauthorized API Key Removal in RagFlow
Removal of other users' API keys due to IDOR in key management endpoint.
CVE TBD
2024-09-02
Unauthorized Knowledge Base Enumeration in RagFlow
Enumeration of all private knowledge bases due to missing authentication in list endpoint.
CVE TBD
2024-09-02
Unauthorized Dialog Deletion in RagFlow
Mass deletion of other users' dialogs due to race condition in deletion endpoint.
CVE-2024-9301
2024-09-03
Local File Inclusion in E2nest
A Local File Inclusion vulnerability was discovered in the E2nest project, allowing arbitrary file read via path traversal in model loading due to insufficient path normalization in config loading.
CVE TBD
2024-07-22
Remote Code Execution in Uptrain
A Remote Code Execution vulnerability via eval during project creation.
CVE TBD
2024-08-22
Command Injection in Clone-voice
System command execution via voice file metadata due to unescaped input in ffmpeg command.
CVE TBD
2024-08-22
File Upload and Path Traversal in LibrePhotos
Arbitrary file write via photo upload due to insufficient path sanitization.
CVE-2024-48946
2024-09-20
Remote Code Execution in Monaco
A Remote Code Execution vulnerability was discovered in Hulu's Monaco project, allowing code execution via deserialization due to unsanitized data being passed into pickle.loads.
CVE TBD
2024-09-20
Unauthorized Redis Access in Monaco
Access to all Redis clusters administered by Monaco due to missing authentication in app_redis_api endpoint.
CVE TBD
2024-10-01
Directory Traversal in LogAI
Access to sensitive files via log paths due to broken path traversal protection in the Salesforce LogAI project.
CVE TBD
2024-10-24
Directory Traversal in DB-GPT
Access to database files via backup paths due to missing path normalization in the DB-GPT project.
