Vulnerable embedded jQuery Version

Summary PIMCore uses the JavaScript library jQuery in version 3.4.1. This version is vulnerable to cross-site-scripting XSS. Details In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it to one of...

CycloneDX JavaScript Library 代码问题漏洞

The CycloneDX JavaScript Library is a core feature of the CycloneDX SBOM Standard open source OWASP CycloneDX for JavaScript written in TypeScript. A code issue vulnerability exists in CycloneDX JavaScript Library versions prior to 6.7.1 that stems from XML external entity injection when running...

CVE-2024-34345 @cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1...

CVE-2024-34345

CVE-2024-34345 affects the CycloneDX JavaScript library (cyclonedx-library) core functionality. The vulnerability arises from XML External Entity (XXE) injections when using the provided XML Validator on arbitrary input in version 6.7.0; it was fixed in 6.7.1. Affected component/file is the XML v...

@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

Impact XML External entity injections could be possible, when running the provided XML Validator on arbitrary input. POC js const Spec: Version , Validation: XmlValidator = require'@cyclonedx/cyclonedx-library'; const version = Version.v1dot5; const validator = new XmlValidatorversion; const inpu...

CVE-2024-34345

creationtimestamp| type| source ---|---|--- 2024-05-08 15:13:47+00:00| published-proof-of-concept| https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : CryptoJS vulnerability (USN-6753-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-6753-1 advisory. Thomas Neil James Shadwell discovered that CryptoJS was using an insecure cryptographic default configuration. A remote attack...

CVE-2024-28246 KaTeX is missing normalization of the protocol in URLs allows bypassing forbidden protocols

KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow fo...

CVE-2024-28246

KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow fo...

CVE-2024-28244

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. KaTeX supports an option named...

CVE-2024-28244 KaTeX's maxExpand bypassed by Unicode sub/superscripts

KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. KaTeX supports an option named...

PT-2024-22358

Name of the Vulnerable Software and Affected Versions KaTeX versions prior to 0.16.10 Description KaTeX is a JavaScript library for TeX math rendering on the web. Users who render untrusted mathematical expressions could encounter malicious input using edef that causes a near-infinite loop, despi...

CVE-2023-49583

SAP BTP Security Services Integration Library Node.js @sap/xssec - versions 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application...

CVE-2023-48238

joaquimserafim/json-web-token is a javascript library use to interact with JSON Web Tokens JWT which are a compact URL-safe means of representing claims to be transferred between two parties. Affected versions of the json-web-token library are vulnerable to a JWT algorithm confusion attack. On li...

CVE-2023-48238 JWT Algorithm Confusion in json-web-token library

joaquimserafim/json-web-token is a javascript library use to interact with JSON Web Tokens JWT which are a compact URL-safe means of representing claims to be transferred between two parties. Affected versions of the json-web-token library are vulnerable to a JWT algorithm confusion attack. On li...

CVE-2023-48094

A cross-site scripting XSS vulnerability in CesiumJS v1.111 allows attackers to execute arbitrary code in the context of the victim's browser via sending a crafted payload to /containerfiles/publichtml/doc/index.html. NOTE: the vendor’s position is that Apps/Sandcastle/standalone.html is part of...

CVE-2023-46233

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm...

CVE-2023-46233

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm...

CVE-2023-46233

CVE-2023-46233 affects crypto-js in Crypto-JS prior to 4.2.0. The PBKDF2 implementation uses SHA1 and a fixed iteration count of 1,000, making it far weaker than the 1993 spec and substantially weaker than current standards. Reported impact is high for password protection and signature generation...

CVE-2023-40013

CVE-2023-40013 affects the external-svg-loader / SVG Loader JS library. The vulnerability arises from insufficient input sanitization when injecting fetched SVGs, allowing crafted SVGs to bypass sanitization and trigger Cross-site Scripting (XSS). Affected behavior: external sites that accept use...