99 matches found
Design/Logic Flaw
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts...
CVE-2021-26540
The CVE-2021-26540 issue affects Apostrophe Technologies sanitize-html prior to 2.3.2, where the hostnames set in allowedIframeHostnames could be bypassed when allowIframeRelativeUrls is true, enabling bypass of the hostname whitelist for iframe src values starting with /\example.com. Public disc...
CVE-2021-26540
Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts...
CVE-2021-26539
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name IDN which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option...
CVE-2021-26539
CVE-2021-26539 affects Apostrophe Technologies sanitize-html prior to version 2.3.1. The vulnerability arises from improper handling of internationalized domain names (IDN), which can allow an attacker to bypass the hostname whitelist validated by the allowedIframeHostnames option. Impact is bypa...
CVE-2021-26539
Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name IDN which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option...
Abea Apostrophe Technologies sanitize-html security vulnerability
Abea Apostrophe Technologies sanitize-html is a formatting removal tool organized by Abea USA. It provides simple HTML tag removal with a clear API. A security vulnerability exists in Apostrophe Technologies sanitize-html versions prior to 2.3.1, which stems from the inability to properly handle...
@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by unknown CVE via apostrophe (>=0.5.393 <=2.227.12)
apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: unknown CVE Source advisory: OSV:GHSA-PV6R-VCHH-CXG9...
GHSA-PV6R-VCHH-CXG9 Denial of Service in apostrophe
Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust...
Denial of Service in apostrophe
Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust...
@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by unknown CVE via apostrophe (>=0.5.393 <=2.227.12)
apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: unknown CVE Source advisory: OSV:GHSA-H97G-4MX7-5P2P...
GHSA-H97G-4MX7-5P2P Open Redirect in apostrophe
Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later...
Open Redirect in apostrophe
Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later...
Denial Of Service (DoS)
apostrophe is vulnerable to denial of service DoS. An attacker is able to cause an application crash by attempting to get an advisory lock on a document through self.apiRoute function in routes.js...
Denial Of Service (DoS)
apostrophe is vulnerable to denial of service DoS. It does not limit a user with a login privileges to initiate multiple batch jobs requests, eventually exhausting available memory by submitting thousands of batch job requests...
Denial of Service
Overview Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and...
Open Redirect
Overview Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later. References - Snyk Report - GitHub Commit -...
Open Redirection
apostrophe is vulnerable to Open Redirection. This is because of a redirection when the url contains trailing slashes. The attacker is thus able to craft a malicious ulr to trick apostrophe to parse the url into the attacker's intended domain...
Cross site scripting
Cross-site scripting XSS vulnerability in the preview form in Stephen Ostermiller Contact Form before 2.00.02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that contain an apostrophe...