static-web-server vulnerable to stored Cross-site Scripting in directory listings via file names

Summary If directory listings are enabled for a directory that an untrusted user has upload privileges for, a malicious file name like .txt will allow JavaScript code execution in the context of the web server’s domain. Details SWS generally does not perform escaping of HTML entities on any value...

CVE-2024-32966 Stored Cross-site Scripting in directory listings via file names in static-web-server

Static Web Server SWS is a tiny and fast production-ready web server suitable to serve static web files or assets. In affected versions if directory listings are enabled for a directory that an untrusted user has upload privileges for, a malicious file name like .txt will allow JavaScript code...

CVE-2024-27306

A flaw was found in aiohttp, an asynchronous HTTP client/server framework for asyncio and Python. When using "web.static..., showindex=True", the resulting index pages do not escape file names. If users can upload files with arbitrary filenames to the static directory, the server is vulnerable to...

AZL-39933 CVE-2024-32487 affecting package less for versions less than 590-4

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the...

CVE-2024-32487

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the...

CVE-2024-32487

CVE-2024-32487 affects the less utility. The issue allows OS command execution via a newline character in a file name due to faulty quoting in filename.c (affecting versions up to 653). Exploitation typically requires attacker-controlled file names (e.g., from an untrusted archive) and the LESSOP...

Contao 安全漏洞

Contao is an open source content management system CMS developed in PHP. The system supports search engines, rights management, and CSS frameworks. A security vulnerability exists in Contao version 4.x prior to version 4.13.40 and version 5.x prior to version 5.3.4, which stems from the fact that...

CVE-2023-45715

The console may experience a service interruption when processing file names with invalid characters...

CVE-2023-45715

The console may experience a service interruption when processing file names with invalid characters...

CVE-2023-45715

CVE-2023-45715 affects the HCL BigFix Platform console. A vulnerability causes a service interruption (Denial of Service) when the console processes file names that contain invalid characters. The root cause is not explicitly detailed in the provided documents beyond the impact condition. Current...

CVE-2023-45715 HCL BigFix Platform is susceptible to a Denial of Service attack

The console may experience a service interruption when processing file names with invalid characters...

CVE-2023-45715 HCL BigFix Platform is susceptible to a Denial of Service attack

The console may experience a service interruption when processing file names with invalid characters...

HCL BigFix Platform 安全漏洞

HCL Technologies HCL BigFix Platform is a suite of endpoint security management platforms from HCL Technologies, USA. The platform supports automated discovery, management and remediation of endpoint security issues. A security vulnerability exists in HCL BigFix Platform that originates from a...

PT-2024-13274 · Vconsole · Vconsole

Name of the Vulnerable Software and Affected Versions: Console affected versions not specified Description: The console may experience a service interruption when processing file names with invalid characters. Recommendations: At the moment, there is no information about a newer version that...

curl: excessively long file name may lead to unknown HSTS status

A security bypass flaw was found in Curl, which can be triggered by saving HSTS data to an excessively long file name. This issue occurs due to an error in handling HSTS long file names, leading to the removal of all contents from the file during the save process, and may allow a remote attacker ...

IBM DS8900F HMC Log Message Disclosure Vulnerability

The IBM DS8900F HMC is an enterprise-class disk storage system from International Business Machines IBM for storing and managing large-scale enterprise data. The IBM DS8900F HMC suffers from a log information disclosure vulnerability that can be exploited by an attacker to view sensitive log...

CVE-2024-28187

SOY CMS is an open source CMS content management system that allows you to build blogs and online shops. SOY CMS versions prior to 3.14.2 are vulnerable to an OS Command Injection vulnerability within the file upload feature when accessed by an administrator. The vulnerability enables the executi...

BIT-ODOO-2021-45071

Cross-site scripting XSS issue Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim, via crafted uploaded file names...

emacs: command execution via shell metacharacters

A flaw was found in the Emacs package. This flaw allows attackers to execute commands via shell metacharacters in the name of a source-code file...

DEBIAN-CVE-2024-20328

A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file nam...