@grackle-ai/server has Missing WebSocket Origin Header Validation

Impact The WebSocket upgrade handler in the server validates authentication API key token or session cookie but does not check the Origin header. A malicious webpage on a different origin could initiate a WebSocket connection to ws://localhost:3000/ws if it can leverage the user's session cookie...

CVE-2024-41659

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker...

EUVD-2010-3789

Malware in sbrugna...

EUVD-2021-10897

Malware in sbrugna...

EUVD-2022-32696

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2010-3810

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.3 on Mac OS X 10.4, does not properly handle the History object,...

CVE-2025-5263

Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks. This vulnerability affects Firefox 139, Firefox ESR 115.24, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to exposing sensitive information due to Undici ( CVE-2024-24758 )

Summary Undici is used by IBM Cloud Pak for Data as part of the platform. CVE-2024-24758. Vulnerability Details CVEID:CVE-2024-24758 DESCRIPTION: Undici could allow a remote authenticated attacker to obtain sensitive information, caused by improper neutralization of Proxy-Authentication headers. ...

CVE-2023-44216

PVRIC PowerVR Image Compression on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter specification, aka a GPU.zip issue. For example, attackers can sometimes accurately...

UBUNTU-CVE-2023-44216

PVRIC PowerVR Image Compression on Imagination 2018 and later GPU devices offers software-transparent compression that enables cross-origin pixel-stealing attacks against feTurbulence and feBlend in the SVG Filter specification, aka a GPU.zip issue. For example, attackers can sometimes accurately...

SUSE CVE-2010-3810

WebKit in Apple Safari before 5.0.3 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1.3 on Mac OS X 10.4, does not properly handle the History object, which allows remote attackers to spoof the location bar's URL or add URLs to the history via a cross-origin attack...

SUSE CVE-2016-1898

FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming HLS M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file...

SUSE SLED15 / SLES15 Security Update : grafana (SUSE-SU-2022:3765-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3765-1 advisory. - Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could...

CVE-2022-28244

Acrobat Reader DC versions 22.001.20085 and earlier, 20.005.3031x and earlier and 17.012.30205 and earlier is affected by a violation of secure design principles through bypassing the content security policy, which could result in an attacker sending arbitrarily configured requests to the...

Cross site scripting

Acrobat Reader DC versions 22.001.20085 and earlier, 20.005.3031x and earlier and 17.012.30205 and earlier is affected by a violation of secure design principles through bypassing the content security policy, which could result in an attacker sending arbitrarily configured requests to the...

CVE-2022-28244 Adobe Acrobat Reader DC CSP Bypass Leads To Privilege Escalation

Acrobat Reader DC versions 22.001.20085 and earlier, 20.005.3031x and earlier and 17.012.30205 and earlier is affected by a violation of secure design principles through bypassing the content security policy, which could result in an attacker sending arbitrarily configured requests to the...

CVE-2022-28244

CVE-2022-28244 (Adobe Acrobat/Reader DC CSP Bypass) affects Acrobat Reader DC with versions up to 22.001.20085, 20.005.3031x, and 17.012.30205 (and earlier). The issue is a violation of secure design principles: bypassing the Content Security Policy, which could let an attacker trigger arbitraril...

CVE-2021-39197

bettererrors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. bettererrors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not...

Microsoft Office Online Server Spoofing Vulnerability

Microsoft Office Online Server is a Web-based office software suite. A spoofing vulnerability exists in Microsoft Office Online Server that originates when Office Online does not properly validate the origin in a cross-domain communication handler. An attacker could exploit this vulnerability by...

admin-cli: Potential EAP resource starvation DOS attack via GET requests for server log files

An EAP feature to download server log files allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files consuming enough resources that normal server functioning could be impaired...