GHSA-78P3-96HC-3J47 Malicious Package in jquery-airload

Version 0.2.5 of jquery-airload contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's also...

AZL-44379 CVE-2020-7729 affecting package js-jquery 3.5.0-4

The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load instead of its secure replacement safeLoad of the package js-yaml inside grunt.file.readYAML...

@baosight/xinrong (>=0.0.36 <=0.0.37), wypulldom (=1.0.0) potentially affected by unknown CVE via jqeury (=0.0.1-security)

jqeury NPM version =0.0.1-security is affected by a known vulnerability. The following packages have a transitive dependency on jqeury and may be impacted: - @baosight/xinrong =0.0.36, =0.0.37 - wypulldom =1.0.0 Source cves: unknown CVE Source advisory: OSV:GHSA-4964-CJRR-JG97...

GHSA-FJ93-7WM4-8X2G Cross-Site Scripting in jquery-mobile

All version of jquery-mobile are vulnerable to Cross-Site Scripting. The package checks for content in location.hash and if a URL is found it does an XmlHttpRequest XHR to the URL and renders the response with innerHTML. It fails to validate the Content-Type of the response, allowing attackers to...

@fanswoo/core (>=1.0.0 <=1.3.8), brws-upload (>=1.0.2 <=1.0.3) +4 more potentially affected by unknown CVE via jquery-mobile (>=1.4.1 <=1.5.0-alpha.1)

jquery-mobile NPM version =1.4.1, =1.0.0, =1.0.2, =1.0.0, =1.0.2, =2.0.0, =0.0.1, =1.0.4 Source cves: unknown CVE Source advisory: OSV:GHSA-FJ93-7WM4-8X2G...

Cross-Site Scripting in jquery-mobile

All version of jquery-mobile are vulnerable to Cross-Site Scripting. The package checks for content in location.hash and if a URL is found it does an XmlHttpRequest XHR to the URL and renders the response with innerHTML. It fails to validate the Content-Type of the response, allowing attackers to...

Security Bulletin: Multiple vulnerabilities in AngularJS and jQuery affect IBM Spectrum LSF Simulator

Summary There are multiple vulnerabilities in AngularJS and jQuery used by IBM Spectrum LSF Simulator. IBM Spectrum LSF Simulator has addressed the applicable CVEs. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affecte...

Gitlab -- multiple vulnerabilities

Gitlab reports: Vendor Cross-Account Assume-Role Attack Stored XSS on the Vulnerability Page Outdated Job Token Can Be Reused to Access Unauthorized Resources File Disclosure Via Workhorse File Upload Bypass Unauthorized Maintainer Can Edit Group Badge Denial of Service Within Wiki Functionality...

Western Digital My Cloud Multiple Products < 2.12.127 / 2.20 - 2.30 < 2.31.149 Multiple Vulnerabilities

Multiple Western Digital My Cloud products are prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Cross-Site Scripting in jquery

Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors wh...

Cross-Site Scripting in jquery

Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors wh...

CSRF Vulnerability in jquery-ujs

Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains. When an attacker controls the href attribute of an anchor tag, or the action attribute of a fo...

GHSA-6QQJ-RX4W-R3CJ CSRF Vulnerability in jquery-ujs

Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains. When an attacker controls the href attribute of an anchor tag, or the action attribute of a fo...

GitLab: Sending Arbitrary Requests through Jupyter Notebooks on gitlab.com and Self-Hosted GitLab Instances

NOTE: I am still researching whether there is a possibility to deploy the exploit without user interaction. Summary GitLab provides a rich representation for Jupyter Notebooks .ipynb. In turn, Jupyter Notebooks provide the possibility for rich output via HTML. Although most tags and attributes ar...

SUSE-SU-2020:2292-1 Security update for SUSE Manager Server 3.2

This update fixes the following issues: bind-formula: - Remove wrong default for bind options preventing correct upload of bind options using XMLRPC bsc1150657 branch-network-formula: - Make branch formula to assign home directory to ftp and tftp users bsc1162391 py26-compat-salt: - Do not make...

Security Bulletin: Security vulnerability has been identified in BigFix Platform shipped with IBM License Metric Tool.

Summary BigFix Platform is shipped with IBM License Metric Tool. Information about a security vulnerability affecting BigFix Platform has been published in a security bulletin. Vulnerability Details CVEID: CVE-2019-5435 DESCRIPTION: cURL libcurl is vulnerable to a heap-based buffer overflow, caus...

Security Bulletin: Multiple vulnerabilities in jQuery affect IBM WIoTP MessageGateway (CVE-2020-11023, CVE-2020-11022)

Summary There are multiple vulnerabilities in jQuery that affect IBM WIoTP MessageGateway. Vulnerability Details CVEID: CVE-2020-11023 DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could...

Security Bulletin: Multiple Vulnerabilities in jQuery affect IBM WIoTP MessageGateway

Summary There are multiple vulnerabilities in jQuery that affect IBM WIoTP MessageGateway. Vulnerability Details Third Party Entry: 180875 DESCRIPTION: jQuery cross-site scripting CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180875 for the...

Security Bulletin: A vulnerability in jQuery affects IBM WIoTP MessageGateway (CVE-2020-7656)

Summary There is a vulnerability in jQuery that affects IBM WIoTP MessageGateway. Vulnerability Details CVEID: CVE-2020-7656 DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the load method. A remote attacker could exploit this...

Security Bulletin: JQuery as used by IBM QRadar Network Packet Capture is vulnerable to Cross Site Scripting (XSS) (CVE-2020-11023, CVE-2020-11022)

Summary JQuery as used by IBM QRadar Network Packet Capture is vulnerable to Cross Site Scripting XSS Vulnerability Details CVEID: CVE-2020-11023 DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attack...