133 matches found
Amazon Linux 2 : nerdctl (ALAS-2025-2863)
The version of nerdctl installed on the remote host is prior to 2.0.5-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2863 advisory. The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a...
An Approach for Handling Missing Attribute Values in Attribute-Based Access Control Policy Mining
Attribute-Based Access Control ABAC enables highly expressive and flexible access decisions by considering a wide range of contextual attributes. ABAC policies use logical expressions that combine these attributes, allowing for precise and context-aware control. Algorithms that mine ABAC policies...
Cross-site Scripting (XSS)
golang.org/x/net is vulnerable to improper parsing logic. The vulnerability is due to incorrect tag interpretation in unquoted attribute values ending with a solidus / being mistakenly marked as self-closing, especially in foreign content like or . which allows attackers to exploit content in the...
CVE-2025-22872
The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character / as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content...
Keycloak Denial of Service vulnerability
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited, an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. The issue is fixed in Keycloak 24 with...
REXML: DoS parsing an XML with many `<`s in an attribute value
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this...
mozilla: Out of bounds read in editor component
The Mozilla Foundation Security Advisory describes this flaw as: Editor code failed to check an attribute value. This could have led to an out-of-bounds read...
Ruby 安全漏洞
Ruby is a cross-platform, object-oriented, dynamically typed programming language from the individual developer, Gyohiro Matsumoto. A security vulnerability exists in Ruby REXML versions prior to 3.2.6, which stems from a denial of service vulnerability in the REXML gem when parsing attribute...
REXML contains a denial of service vulnerability
Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many s in an attribute value. If you need to parse untrusted XMLs, you many be impacted to this vulnerability. Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. Workarounds Don...
CVE-2023-50453
An issue was discovered in Zammad before 6.2.0. It uses the public endpoint /api/v1/signshow for its login screen. This endpoint returns internal configuration data of user object attributes, such as selectable values, which should not be visible to the public...
The case against self-closing tags in HTML
Let's talk about /: You'll see this syntax on my blog because it's what Prettier does, and I really like Prettier. However, I don't think / is a good thing. First up: The facts Enter XHTML Back in the late 90s and early 2000s, the W3C had a real thing for XML, and thought that it should replace...
Bouncy Castle For Java LDAP injection vulnerability
Bouncy Castle provides the X509LDAPCertStoreSpi.java class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the...
USN-5992-1 ldb vulnerability
Demi Marie Obenour discovered that ldb, when used with Samba, incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information...
USN-5992-1: ldb vulnerability
Demi Marie Obenour discovered that ldb, when used with Samba, incorrectly handled certain confidential attribute values. A remote authenticated attacker could possibly use this issue to obtain certain sensitive information...
The vulnerability of the Trace View web instrumentation panel in Grafana allows attackers to escalate their privileges and perform cross-site scripting attacks.
The vulnerability of the Trace View web instrumentation panel in Grafana relates to insufficient protection of the web page structure when processing values of attributes and resources within a range. Exploiting this vulnerability allows an attacker to enhance their privileges and perform...
Upgraded Q -> 2 from #56 [1677632875022]
Judge has assessed an item in Issue 56 as 2 risk. The relevant finding follows: 2. Attribute values of fees could exceed 1e18 when initializing even if the proposedFees is checked in proposeFees function. function initialize IERC20 asset, IERC4626 adapter, VaultFees calldata fees, address...
SUSE CVE-2016-6316
Cross-site scripting XSS vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers...
SUSE CVE-2016-9909
The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of the less than character in attribute values...
SUSE CVE-2016-9910
The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of special characters in attribute values, a different vulnerability than CVE-2016-9909...
Improper Neutralization of Input During Web Page Generation in html5lib
The serializer in html5lib before 0.99999999 might allow remote attackers to conduct cross-site scripting XSS attacks by leveraging mishandling of the less than character in attribute values...