Lucene search
K

99 matches found

Prion
Prion
added 2021/02/08 5:15 p.m.19 views

Design/Logic Flaw

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts...

5CVSS5.5AI score0.01754EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2021/02/08 4:16 p.m.114 views

CVE-2021-26540

The CVE-2021-26540 issue affects Apostrophe Technologies sanitize-html prior to 2.3.2, where the hostnames set in allowedIframeHostnames could be bypassed when allowIframeRelativeUrls is true, enabling bypass of the hostname whitelist for iframe src values starting with /\example.com. Public disc...

5.3CVSS5.1AI score0.01754EPSS
Exploits1References3Affected Software1
Debian CVE
Debian CVE
added 2021/02/08 4:16 p.m.17 views

CVE-2021-26540

Apostrophe Technologies sanitize-html before 2.3.2 does not properly validate the hostnames set by the "allowedIframeHostnames" option when the "allowIframeRelativeUrls" is set to true, which allows attackers to bypass hostname whitelist for iframe element, related using an src value that starts...

5.3CVSS5.2AI score0.01754EPSS
Exploits1
Cvelist
Cvelist
added 2021/02/08 4:16 p.m.36 views

CVE-2021-26539

Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name IDN which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option...

5.5AI score0.01953EPSS
Exploits1References3
CVE
CVE
added 2021/02/08 4:16 p.m.176 views

CVE-2021-26539

CVE-2021-26539 affects Apostrophe Technologies sanitize-html prior to version 2.3.1. The vulnerability arises from improper handling of internationalized domain names (IDN), which can allow an attacker to bypass the hostname whitelist validated by the allowedIframeHostnames option. Impact is bypa...

5.3CVSS5AI score0.01953EPSS
Exploits1References3Affected Software1
Debian CVE
Debian CVE
added 2021/02/08 4:16 p.m.19 views

CVE-2021-26539

Apostrophe Technologies sanitize-html before 2.3.1 does not properly handle internationalized domain name IDN which could allow an attacker to bypass hostname whitelist validation set by the "allowedIframeHostnames" option...

5.3CVSS5.2AI score0.01953EPSS
Exploits1
CNNVD
CNNVD
added 2021/02/08 12:0 a.m.10 views

Abea Apostrophe Technologies sanitize-html security vulnerability

Abea Apostrophe Technologies sanitize-html is a formatting removal tool organized by Abea USA. It provides simple HTML tag removal with a clear API. A security vulnerability exists in Apostrophe Technologies sanitize-html versions prior to 2.3.1, which stems from the inability to properly handle...

5.3CVSS6AI score0.01953EPSS
Exploits1References7
vulnersOsv
vulnersOsv
added 2020/09/03 8:42 p.m.5 views

@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by unknown CVE via apostrophe (>=0.5.393 <=2.227.12)

apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: unknown CVE Source advisory: OSV:GHSA-PV6R-VCHH-CXG9...

5.8AI score
Exploits0
OSV
OSV
added 2020/09/03 8:42 p.m.12 views

GHSA-PV6R-VCHH-CXG9 Denial of Service in apostrophe

Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust...

7AI score
Exploits0References1
Github Security Blog
Github Security Blog
added 2020/09/03 8:42 p.m.25 views

Denial of Service in apostrophe

Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust...

5.5AI score
Exploits0References2Affected Software1
vulnersOsv
vulnersOsv
added 2020/09/03 5:11 p.m.4 views

@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by unknown CVE via apostrophe (>=0.5.393 <=2.227.12)

apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: unknown CVE Source advisory: OSV:GHSA-H97G-4MX7-5P2P...

5.8AI score
Exploits0
OSV
OSV
added 2020/09/03 5:11 p.m.10 views

GHSA-H97G-4MX7-5P2P Open Redirect in apostrophe

Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later...

7.1AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2020/09/03 5:11 p.m.19 views

Open Redirect in apostrophe

Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later...

3.6AI score
Exploits0References4Affected Software1
Veracode
Veracode
added 2020/07/13 3:18 a.m.8 views

Denial Of Service (DoS)

apostrophe is vulnerable to denial of service DoS. An attacker is able to cause an application crash by attempting to get an advisory lock on a document through self.apiRoute function in routes.js...

2.7AI score
Exploits0
Veracode
Veracode
added 2019/09/30 7:11 a.m.15 views

Denial Of Service (DoS)

apostrophe is vulnerable to denial of service DoS. It does not limit a user with a login privileges to initiate multiple batch jobs requests, eventually exhausting available memory by submitting thousands of batch job requests...

2.9AI score
Exploits0
Node.js
Node.js
added 2019/09/23 7:44 p.m.13 views

Denial of Service

Overview Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn't clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and...

6.8AI score
Exploits0Affected Software1
Node.js
Node.js
added 2019/06/28 7:41 p.m.13 views

Open Redirect

Overview Versions of apostrophe prior to 2.92.0 are vulnerable to Open Redirect. The package redirected requests to third-party websites if escaped URLs followed by a trailing / were appended at the end. Recommendation Update to version 2.92.0 or later. References - Snyk Report - GitHub Commit -...

6.9AI score
Exploits0Affected Software1
Veracode
Veracode
added 2019/06/27 5:39 a.m.5 views

Open Redirection

apostrophe is vulnerable to Open Redirection. This is because of a redirection when the url contains trailing slashes. The attacker is thus able to craft a malicious ulr to trick apostrophe to parse the url into the attacker's intended domain...

6.6AI score
Exploits0
Prion
Prion
added 2007/06/22 6:30 p.m.10 views

Cross site scripting

Cross-site scripting XSS vulnerability in the preview form in Stephen Ostermiller Contact Form before 2.00.02 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that contain an apostrophe...

4.3CVSS6.1AI score0.01292EPSS
Exploits0References8Affected Software1
Rows per page
Query Builder