16 matches found
CVE-2026-44664
A flaw was found in fast-xml-builder. The software, which builds XML from JSON, incorrectly sanitizes XML comment content. This allows a remote attacker to bypass the sanitization by using three consecutive dashes, enabling them to break out of an XML comment and inject arbitrary XML or HTML...
CVE-2026-44664
fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace/--/g, '- -'. This skip the values containing three consecutive dashes e.g., ---..., allowing an attacker to break out of an XML comment and...
XML Injection
Overview Affected versions of this package are vulnerable to XML Injection due to the incomplete sanitization of XML comments. An attacker can inject arbitrary XML or HTML content by including three consecutive dashes in the comment value. Note: This issue was introduced by the fix for...
EUVD-2023-2535
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2023-22794
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability in ActiveRecord 6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the annotate...
codehaus-plexus: XML External Entity (XXE) Injection
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtilwriteComment fails to sanitize comments for a -- sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection...
codehaus-plexus: XML External Entity (XXE) Injection
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtilwriteComment fails to sanitize comments for a -- sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection...
OESA-2023-1133 rubygem-activerecord security update
Implements the ActiveRecord pattern Fowler, PoEAA for ORM. It ties database tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. Security Fixes: A denial of service vulnerability present in...
SUSE CVE-2022-4245
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtilwriteComment fails to sanitize comments for a -- sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection...
SUSE CVE-2023-22794
A vulnerability in ActiveRecord 6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the annotate query method, the optimizerhints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent t...
DEBIAN-CVE-2023-22794
A vulnerability in ActiveRecord 6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the annotate query method, the optimizerhints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent t...
UBUNTU-CVE-2023-22794
A vulnerability in ActiveRecord 6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the annotate query method, the optimizerhints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent t...
CVE-2023-22794
A vulnerability in ActiveRecord 6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the annotate query method, the optimizerhints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent t...
CVE-2023-22794
A vulnerability in ActiveRecord 6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the annotate query method, the optimizerhints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent t...
WP Ultimate CSV Importer < 6.4.3 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones either intentionnaly or not and lead to Stored Cross-Site Scripting issues PoC Import the following CSV as comment:...
PT-2022-7272 · Unknown · Codehaus-Plexus
Name of the Vulnerable Software and Affected Versions: codehaus-plexus affected versions not specified Description: A flaw was found in codehaus-plexus, where the org.codehaus.plexus.util.xml.XmlWriterUtilwriteComment function fails to sanitize comments for a -- sequence. This issue means that te...