171 matches found
BIT-GITLAB-2023-5512 Improper Control of Generation of Code ('Code Injection') in GitLab
An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect...
CVE-2023-5512
An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect...
Design/Logic Flaw
An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect...
CVE-2023-5512
An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect...
CVE-2023-5512
CVE-2023-5512 affects GitLab CE/EE and concerns file integrity being compromised when specific HTML encoding is used for file names, causing incorrect UI representations. Affected versions: 16.3–16.4.3, 16.5–16.5.3, and 16.6–16.6.1. Root cause is a UI/filename encoding issue; no exploit details a...
CVE-2023-5512 Improper Control of Generation of Code ('Code Injection') in GitLab
An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect...
CVE-2023-5512 Improper Control of Generation of Code ('Code Injection') in GitLab
An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect...
CVE-2023-5512
Removed by vendor...
GitLab 16.3 < 16.4.4 / 16.5 < 16.5.4 / 16.6 < 16.6.2 (CVE-2023-5512)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrit...
CVE-2023-6146
A Qualys web application was found to have a stored XSS vulnerability resulting from the absence of HTML encoding in the presentation of logging information to users. This vulnerability allowed a user with login access to the application to introduce XSS payload via browser details...
Cross site scripting
A Qualys web application was found to have a stored XSS vulnerability resulting from the absence of HTML encoding in the presentation of logging information to users. This vulnerability allowed a user with login access to the application to introduce XSS payload via browser details...
CVE-2023-6146
CVE-2023-6146 describes a stored cross-site scripting vulnerability in Qualys Web Application (QualysGuard VM/PC) where HTML encoding is omitted when displaying logging information. The root cause is the lack of HTML encoding in user-visible browser details, allowing a logged-in user to inject an...
CVE-2023-6146 Stored XSS Vulnerability in QualysGuard VM/PC
A Qualys web application was found to have a stored XSS vulnerability resulting from the absence of HTML encoding in the presentation of logging information to users. This vulnerability allowed a user with login access to the application to introduce XSS payload via browser details...
CVE-2022-44787
An issue was discovered in Appalti & Contratti 9.12.2. The web applications are vulnerable to a Reflected Cross-Site Scripting issue. The idPagina parameter is reflected inside the server response without any HTML encoding, resulting in XSS when the victim moves the mouse pointer inside the page...
CVE-2022-44787
An issue was discovered in Appalti & Contratti 9.12.2. The web applications are vulnerable to a Reflected Cross-Site Scripting issue. The idPagina parameter is reflected inside the server response without any HTML encoding, resulting in XSS when the victim moves the mouse pointer inside the page...
Cross site scripting
An issue was discovered in Appalti & Contratti 9.12.2. The web applications are vulnerable to a Reflected Cross-Site Scripting issue. The idPagina parameter is reflected inside the server response without any HTML encoding, resulting in XSS when the victim moves the mouse pointer inside the page...
CVE-2022-44787
CVE-2022-44787 affects Maggioli Maggioli SpA Appalti & Contratti, version 9.12.2. The vulnerability is a reflected Cross-Site Scripting (XSS) in the web application where the idPagina parameter is reflected in the server response without HTML encoding, allowing/script injection when a user intera...
nokogiri: ReDoS in HTML encoding detection
A flaw was found in the nokogiri library when processing an inefficient and complex regular expression. This flaw allows an attacker to cause excessive consumption of resources, which affects performance...
SUSE-SU-2022:4016-1 Security update for rubygem-nokogiri
This update for rubygem-nokogiri fixes the following issues: - CVE-2022-24836: Fixes possibility to DoS because of inefficient RE in HTML encoding. bsc1198408 - CVE-2022-29181: Fixes Improper Handling of Unexpected Data Typesi. bsc1199782...
Automattic: Stored XSS in intensedebate.com via the Comments RSS
Stored XSS in intensedebate.com via the Comments RSS In our "comments.rss" file, the blog post's title reflects to the XML RSS file without any encoding. So I installed the IntenseDebate on my website https://wp.s2.cm, and created a blog post with alertdocument.domain payload on the title. Then, ...