214 matches found
reSmush.it Image Optimizer < 0.4.7 - Multiple CSRF
The plugin does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on the site. input type="hidden" name="action" value="resmushit&...
CVE-2022-39239
netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...
Design/Logic Flaw
netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...
CVE-2022-39239 nefly-ipx subject to Server-Side Request Forgery and Stored Cross-Site Scripting via Cache Poisoning and Improper Host Validation
netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...
CVE-2022-39239 nefly-ipx subject to Server-Side Request Forgery and Stored Cross-Site Scripting via Cache Poisoning and Improper Host Validation
netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...
CVE-2022-39239 nefly-ipx subject to Server-Side Request Forgery and Stored Cross-Site Scripting via Cache Poisoning and Improper Host Validation
netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...
CVE-2022-39239
Netlify-ipx is vulnerable in versions before 1.2.3 to a cache-poisoning fault that allows an attacker to bypass the source image allowlist by sending crafted headers. This can cause the handler to load and return arbitrary images, which are then cached globally and served to visitors without requ...
CVE-2022-0969
The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfilteredhtml capability i...
CVE-2022-0969
CVE-2022-0969 affects the WordPress Optimole plugin prior to 3.3.2. The issue is that the settings for “Lazyload background images for selectors” are not properly sanitised/escaped, which could allow high-privilege users (e.g., admins) to perform Cross-Site Scripting even when unfiltered_html is ...
CVE-2022-0969 Image optimization & Lazy Load < 3.3.2 - Admin+ Stored Cross-Site Scripting
The Image optimization & Lazy Load by Optimole WordPress plugin before 3.3.2 does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfilteredhtml capability i...
WordPress Optimole plugin cross-site scripting vulnerability
WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. WordPress plugin is a WordPress open source application plugin. WordPress plugin Optimole version 3.3.2 has a cross-site scripting vulnerability that stems from the failure of image optimization and...
Image optimization & Lazy Load < 3.3.2 - Admin+ Stored Cross-Site Scripting
The plugin does not sanitise and escape its "Lazyload background images for selectors" settings, which could allow high privilege users such as admin to perform Cross-Site scripting attacks even when the unfilteredhtml capability is disallowed. PoC Put the following payload in the Media Optimole...
CVE-2022-23646 Improper CSP in Image Optimization API for Next.js
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface UI Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in...
Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface UI Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in...
GHSA-FMVM-X8MV-47MJ Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface UI Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in...
XSS in Image Optimization API for Next.js
Impact - Affected: All of the following must be true to be affected - Next.js between version 10.0.0 and 11.1.0 - The next.config.js file has images.domains array assigned - The image host assigned in images.domains allows user-provided SVG - Not affected: The next.config.js file has images.loade...
GHSA-9GR3-7897-PP7M XSS in Image Optimization API for Next.js
Impact - Affected: All of the following must be true to be affected - Next.js between version 10.0.0 and 11.1.0 - The next.config.js file has images.domains array assigned - The image host assigned in images.domains allows user-provided SVG - Not affected: The next.config.js file has images.loade...
Cross-site Scripting (XSS)
next is vulnerable to cross-site scripting. An attacker is able to inject and execute malicious scirpt via image optimization API if next.config.js file have images.domains array assigned and the image host assigned in images.domains which allows user-provided SVG...
CVE-2021-39178 XSS in Image Optimization API for Next.js versions between 10.0.0 and 11.1.0
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the next.config.js file must have images.domains array assigned and the image host assigned in images.domains mus...
Halve the size of images by optimising for high density displays
A long time ago we had monitors of varying resolutions, but once we started to go beyond 1024x768, screens started to get bigger as resolution got bigger. Then full-colour web-capable mobile phones arrived, but the story was the same. They had small screens, but also small resolutions. Then in 20...