CVE-2024-3186

CWE-476 NULL Pointer Dereference vulnerability in the evalExpr function of GoAhead Web Server version = 6.0.0 when compiled with the MEGOAHEADJAVASCRIPT flag. This vulnerability allows a remote attacker with the privileges to modify JavaScript template JST files to trigger a crash and cause a...

CVE-2024-3186

GoAhead Web Server (embedded GoAhead) contains a CWE-476 NULL Pointer Dereference in evalExpr() (and related valexpr in GoAhead) on versions 6.0.0 and earlier when built with ME_GOAHEAD_JAVASCRIPT. A remote attacker able to modify JST templates can trigger a crash leading to DoS. Affected product...

CVE-2024-3186

CWE-476 NULL Pointer Dereference vulnerability in the evalExpr function of GoAhead Web Server version = 6.0.0 when compiled with the MEGOAHEADJAVASCRIPT flag. This vulnerability allows a remote attacker with the privileges to modify JavaScript template JST files to trigger a crash and cause a...

PT-2024-24257

Name of the Vulnerable Software and Affected Versions Goahead versions = 6.0.0 Description This issue involves two Use After Free UAF and one Double Free vulnerabilities. These vulnerabilities are caused by JST values not being nulled when freed during parsing of JST templates. If the ME GOAHEAD...

Oracle Linux 9 : skopeo (ELSA-2023-6363)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-6363 advisory. - rebuild for following CVEs: CVE-2022-41724 CVE-2022-41725 CVE-2023-24537 CVE-2023-24538 CVE-2023-24534 CVE-2023-24536 CVE-2022-41723 CVE-2023-24539...

Amazon Linux 2 : docker (ALASECS-2023-019)

The version of docker installed on the remote host is prior to 20.10.25-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2023-019 advisory. http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Templates did not properly consider backticks...

Important: amazon-ssm-agent

Issue Overview: The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. CVE-2021-43565 A broken cryptographic algorithm flaw was found in golang.org/x/crypto/ssh. This issue causes a client to fail authentification with R...

Amazon Linux 2023 : amazon-ssm-agent (ALAS2023-2023-388)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-388 advisory. The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. CVE-2021-43565 A broken cryptographic algorithm flaw was foun...

CVE-2023-29453 Agent 2 package are built with Go version affected by CVE-2023-24538

Templates do not properly consider backticks as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to...

Milesight MilesightVPN requestHandlers.js detail_device cross-site scripting (XSS) vulnerabilities

Talos Vulnerability Report TALOS-2023-1704 Milesight MilesightVPN requestHandlers.js detaildevice cross-site scripting XSS vulnerabilities July 6, 2023 CVE Number CVE-2023-24497,CVE-2023-24496 SUMMARY Cross-site scripting xss vulnerabilities exist in the requestHandlers.js detaildevice...

ejs 注入漏洞

Github ejs is an embedded JavaScript template. An injection vulnerability exists in ejs version v3.1.9, which stems from vulnerability to server-side template injection SSTI attacks, which can be exploited by an attacker to achieve template injection through the configuration settings of the...

CVE-2023-24538 Backticks not treated as string delimiters in html/template

Templates do not properly consider backticks as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to...

SUSE CVE-2023-24538

Templates do not properly consider backticks as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to...

Cross-site Scripting (XSS)

Overview std/html/template is a Go standard library package std/html/template Affected versions of this package are vulnerable to Cross-site Scripting XSS. Go Vulnerability Report:Templates do not properly consider backticks as Javascript string delimiters, and do not escape them as...

Dust.js 安全漏洞

Dust.js is a LinkedIn open source asynchronous Javascript template for browsers and servers. A security vulnerability exists in Dust.js version 3.0.0, which stems from some unknown functionality that manipulates to cause improperly controlled modification of object prototype properties "prototype...

Cross site scripting

DISPUTED Reflected Cross-Site Scripting vulnerability in "Design" on "Edit device layout" in Kentico 9 through 11 allows remote attackers to execute malicious JavaScript via a malicious devicename parameter in a link that is entered via the "Pages - Edit template properties - Device Layouts -...