CVE-2025-54301

A stored XSS vulnerability in Quantum Manager component 1.0.0-3.2.0 for Joomla was discovered. File names are not properly escaped...

CVE-2020-2106

Jenkins Code Coverage API Plugin 1.1.2 and earlier does not escape the filename of the coverage report used in its view, resulting in a stored XSS vulnerability exploitable by users able to change job configurations...

CVE-2020-15111

In Fiber before version 1.12.6, the filename that is given in c.Attachment https://docs.gofiber.io/ctxattachment is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the...

CVE-2024-11605

The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-11605

The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-11605 WP Publications <= 1.2 - Admin+ Stored XSS

The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

SUSE-SU-2024:4396-1 Security update for python-aiohttp

This update for python-aiohttp fixes the following issues: - CVE-2024-27306: filenames and paths not escaped when generating index pages for static file handling. bsc1223098...

Cross-site Scripting (XSS)

ezsystems/ezplatform-admin-ui is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper escaping of filenames, allowing XSS payloads to be executed during file upload...

libreoffice: Improper Input Validation leading to arbitrary gstreamer plugin execution

An improper input validation vulnerability was found in LibreOffice. In versions where filenames are not sufficiently escaped, an attacker can execute arbitrary GStreamer plugins...

libreoffice: Improper Input Validation leading to arbitrary gstreamer plugin execution

An improper input validation vulnerability was found in LibreOffice. In versions where filenames are not sufficiently escaped, an attacker can execute arbitrary GStreamer plugins...

SUSE-SU-2022:1272-1 Security update for gzip

This update for gzip fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames ZDI-CAN-16587. bsc1198062...

SUSE-SU-2022:1250-1 Security update for gzip

This update for gzip fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames ZDI-CAN-16587. bsc1198062 The following non-security bugs were fixed: - Fixed an issue when 'gzexe' counts the lines to skip wrong. bsc1180713 - Fixed a potential segfault when zli...

SUSE-SU-2022:1160-1 Security update for xz

This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames ZDI-CAN-16587. bsc1198062...

SUSE-SU-2022:14938-1 Security update for xz

This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames ZDI-CAN-16587. bsc1198062...

SUSE-SU-2022:1158-1 Security update for xz

This update for xz fixes the following issues: - CVE-2022-1271: Fixed an incorrect escaping of malicious filenames ZDI-CAN-16587. bsc1198062...

Arbitrary shell execution

Uses of shellexec and exec were not escaping filenames and configuration settings in most cases...

PT-2021-19851 · Nextcloud +2 · Nextcloud Server +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 19.0.13 Nextcloud Server versions prior to 20.0.11 Nextcloud Server versions prior to 21.0.3 Description: Nextcloud Server is a package that handles data storage. In affected versions, filenames were not...

CVE-2020-15111

CVE-2020-15111 affects Fiber prior to 1.12.6. The filename passed to c.Attachment() is not escaped, enabling a CRLF injection when a user-supplied filename is used. This can allow an attacker to alter the downloaded filename, redirect to another site, or modify the HTTP headers (e.g., Authorizati...

GHSA-F7HX-FQXW-RVVJ Insufficient output escaping of attachment names in PHPMailer

Impact CWE-116: Incorrect output escaping. An attachment added like this note the double quote within the attachment name, which is entirely valid: $mail-addAttachment'/tmp/attachment.tmp', 'filename.html";.jpg'; Will result in a message containing these headers: Content-Type:...

SUSE SLES10 Security Update : apache2 (SUSE-SU-2013:0387-1)

This update fixes the following security issues with apache2 httpd : - Improper LDLIBRARYPATH handling CVE-2012-0883 - Filename escaping problem CVE-2012-2687 Additionally, some non-security bugs have been fixed as enumerated in the changelog of the RPM. Note that Tenable Network Security has...