49 matches found
📄 phpMyFAQ 3.2.10 Unintended File Download
phpMyFAQ version 3.2.10 suffers from an unintended file download vulnerability. Exploit Title: phpMyFAQ v3.2.10 - Unintended File Download Triggered by Embedded Frames Date: 13 Dec 2024 Exploit Author: George Chen Vendor Homepage: https://github.com/thorsten/phpMyFAQ/ Software Link:...
PT-2024-36603 · Phpmyfaq · Phpmyfaq
Name of the Vulnerable Software and Affected Versions: phpMyFAQ versions prior to 3.2.10 Description: A vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an iframe element without user...
SUSE CVE-2024-10941
A malicious website could have included an iframe with an malformed URI resulting in a non-exploitable browser crash. This vulnerability affects Firefox 126...
UBUNTU-CVE-2024-10941
A malicious website could have included an iframe with an malformed URI resulting in a non-exploitable browser crash. This vulnerability affects Firefox 126...
LINE client for iOS vulnerable to universal cross-site scripting
Overview The in-app browser of LINE client for iOS provided by LY Corporation contains a universal cross-site scripting vulnerability CWE-79, CVE-2024-5739. LY Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. Impact If a user clicks a malicious...
Tauri 安全漏洞
Tauri is a Tauri open source for building smaller, faster, and more secure desktop applications using a web front end. A security vulnerability exists in Tauri that stems from a vulnerability that allows an attacker to access the Tauri IPC endpoint and execute commands such as delete project via ...
Cross-site Scripting (XSS)
Overview markdown-to-jsx is a lightweight, customizable React markdown component. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the src property due to improper input sanitization. An attacker can execute arbitrary code by injecting a malicious iframe element in...
CVE-2023-5718
The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...
PT-2023-31744 · Sick · Sick Apu Rdt400
Name of the Vulnerable Software and Affected Versions: SICK APU RDT400 affected versions not specified Description: The issue allows an unprivileged remote attacker to potentially reveal sensitive information by tricking a user into clicking on an actionable item using an iframe. This is due to...
SUSE CVE-2011-2626
Opera before 11.50 allows remote attackers to cause a denial of service application crash by using "injected script" to set the SRC attribute of an IFRAME element...
SUSE CVE-2012-1964
The certificate-warning functionality in browser/components/certerror/content/aboutCertError.xhtml in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.10 does not properly handle attempted...
SUSE CVE-2015-1284
The LocalFrame::isURLAllowed function in core/frame/LocalFrame.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly check for a page's maximum number of frames, which allows remote attackers to cause a denial of service invalid count value and use-after-free or possibly...
SUSE CVE-2015-2718
The WebChannel.jsm module in Mozilla Firefox before 38.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive webchannel-response data via a crafted web site containing an IFRAME element referencing a different web site that is intended to read this data...
SUSE CVE-2016-5149
The extensions subsystem in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux relies on an IFRAME source URL to identify an associated extension, which allows remote attackers to conduct extension-bindings injection attacks by leveraging script access to a...
SUSE CVE-2017-5107
A timing attack in SVG rendering in Google Chrome prior to 60.0.3112.78 for Linux, Windows, and Mac allowed a remote attacker to extract pixel values from a cross-origin page being iframe'd via a crafted HTML page...
SUSE CVE-2017-7815
On pages containing an iframe, the "data:" protocol can be used to create a modal dialog through Javascript that will have an arbitrary domains as the dialog's location, spoofing of the origin of the modal dialog from the user view. Note: This attack only affects installations with e10 multiproce...
Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
The Mozilla Foundation Security Advisory describes this flaw as: An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link...
Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI
The Mozilla Foundation Security Advisory describes this flaw as: An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link...
Cross-site Scripting (XSS)
Overview UmbracoCms.Core is an ASP.NET CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper user-input sanitization. An authenticated user can inject arbitrary JavaScript code into IFrames when editing content using the TinyMCE rich-text editor, as...
Sylius 安全漏洞
Sylius is an open source e-commerce platform based on the Symfony framework from the Polish company Sylius. sylius has a security vulnerability that stems from the possibility that an attacker-controlled page could load the website in an iframe. This would enable a clickjacking attack where an...