CVE-2021-22811

A CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability exists that could cause script execution when the request of a privileged account accessing the vulnerable web page is intercepted. Affected Products: 1-Phase Uninterruptible Power Supply UP...

Cesanta MJS Denial of Service Vulnerability (CNVD-2022-09557)

Cesanta MJS is an embedded JavaScript engine for C/C from Cesanta Ireland. cesanta MJS denial of service vulnerability can be exploited by attackers to cause a denial of service...

Sandbox Bypass

Overview realms-shim is a shim implementation of the Realm API Proposal. Affected versions of this package are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. PoC javascript import Realm from 'realms-shim' let realm = Realm.makeRootRealm; realm.evaluate function test try tes...

Cross-site scripting (XSS) from image block content in the site frontend

Impact Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters against cross-site scripting XSS attacks. Cross-site scripting XSS is a type of...

CVE-2021-21796

An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause an object containing the path to a document to be destroyed and then later reused, resulting in a use-after-free vulnerability, which can lead to code...

PT-2021-4690 · Foxit · Foxit Pdf Reader +2

Name of the Vulnerable Software and Affected Versions: Foxit PDF Reader versions prior to 11.1 Foxit PDF Editor versions prior to 11.1 Foxit PhantomPDF versions prior to 10.1.6 Description: The issue is related to the mishandling of JavaScript, allowing attackers to trigger a use-after-free and...

PT-2021-4406 · Foxit · Foxit Pdf Reader +2

Name of the Vulnerable Software and Affected Versions: Foxit PDF Reader versions prior to 11.1 Foxit PDF Editor versions prior to 11.1 Foxit PhantomPDF versions prior to 10.1.6 Description: The issue is related to the mishandling of JavaScript, allowing attackers to trigger a use-after-free and...

CVE-2021-40711

Adobe Experience Manager version 6.5.9.0 and earlier is affected by a stored XSS vulnerability when creating Content Fragments. An authenticated attacker can send a malformed POST request to achieve arbitrary code execution. Malicious JavaScript may be executed in a victim’s browser when they...

Sandbox Bypass

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. PoC const VM = require"vm2...

PT-2021-14783 · Nitro · Nitro Pro Pdf

Name of the Vulnerable Software and Affected Versions: Nitro Pro PDF affected versions not specified Description: An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a stack variable to go o...

Nitro Software Nitro Pro 安全漏洞

Nitro Software Nitro Pro is a U.S. Nitro Software PDF document editor software. The software supports PDF document editing, PDF document format conversion and PDF document encryption and other functions. A security vulnerability exists in the JavaScript implementation of Nitro Software Nitro Pro,...

Chrome JS WasmJs::InstallConditionalFeatures Object Corruption

Chrome: JS object corruption in WasmJs::InstallConditionalFeatures VULNERABILITY DETAILS void WasmJs::InstallConditionalFeaturesIsolate isolate, Handle context // Exception handling may have been enabled by an origin trial. If so, make // sure that the WebAssembly.Exception constructor is set up...

Foxit PDF Reader 资源管理错误漏洞

Foxit PDF Reader is a PDF reader. Foxit PDF Reader handles Javascript security vulnerabilities, which can be exploited by attackers to execute arbitrary code...

Foxit Reader 资源管理错误漏洞

Foxit PDF Reader is a PDF reader. Foxit PDF Reader handles Javascript with a security vulnerability that can be exploited by attackers to execute arbitrary code...

nodejs 缓冲区错误漏洞

nodejs is a JavaScript runtime environment based on the ChromeV8 engine by wrapping the Chromev8 engine and the use of event-driven and non-blocking IO applications to make the development of high-performance Javascript background applications possible. A buffer error vulnerability exists in...

Prototype Pollution

Overview record-like-deep-assign is a Recursively assigns enumerable own properties of the given sources to a target object Affected versions of this package are vulnerable to Prototype Pollution via the main functionality. PoC const deepAssign = require'record-like-deep-assign'; let obj = ;...

Facebook Hermes Input Validation Error Vulnerability

Facebook Hermes is a JavaScript engine from Facebook, Inc. The engine is targeted at React Native applications to improve the performance of mobile client application apps, but is not applicable to server-side infrastructures such as browsers ＆ Node.js. An input validation error vulnerability...

Jira Server and Jira Data Center cross-site scripting vulnerability (CNVD-2021-44762)

Atlassian JIRA Server and Jira Server & Data Center are both products of Atlassian Australia.Atlassian JIRA Server is the server version of a defect tracking management system. The system is mainly used for tracking and managing all kinds of problems and defects in the workplace.Jira Server & Dat...

IBM Engineering Test Management Cross-Site Scripting Vulnerability (CNVD-2021-39247)

IBM Engineering Test Management is a collaborative quality management solution that provides end-to-end test planning and test asset management, with broad coverage of all aspects from requirements to defects. A cross-site scripting vulnerability exists in IBM Engineering Test Management version...

GHSA-C94V-8FFF-73PH Command Injection in @theia/messages

In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run...