1277 matches found
CVE-2024-34078
html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...
DEBIAN-CVE-2024-34078
html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...
UBUNTU-CVE-2024-34078
html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...
CVE-2024-34078
html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...
CVE-2024-34078 html-sanitizer allows arbitrary HTML present after sanitization because of unicode normalization
html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...
CVE-2024-34078 html-sanitizer allows arbitrary HTML present after sanitization because of unicode normalization
html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...
CVE-2024-34078 html-sanitizer allows arbitrary HTML present after sanitization because of unicode normalization
html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...
CVE-2024-34078
CVE-2024-34078 affects the html-sanitizer library. When keep_typographic_whitespace is false (default), Unicode is normalized to NFKC at the end, and some characters can normalize to chevrons, allowing specially crafted HTML to bypass sanitization. Exploitation could enable HTML injection within ...
GHSA-WVHX-Q427-FGH3 Arbitrary HTML present after sanitization because of unicode normalization
Impact If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. Patches The problem has been fixed in 2.4.2. Workarounds Se...
PT-2024-25688 · Unknown · Sanitize-Html
Name of the Vulnerable Software and Affected Versions: html-sanitizer versions prior to 2.4.2 Description: The issue concerns an allowlist-based HTML cleaner. If using keep typographic whitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicod...
RHEL 6 / 7 : rh-python36-python (RHSA-2019:0765)
The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:0765 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic...
RHEL 6 / 7 : python27-python (RHSA-2019:0806)
The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:0806 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic...
nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization
A flaw was found in Node.js. Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwritten with user-defined implementations, leading to a filesystem permission model bypass through a path traversal attack...
nodejs: multiple permission model bypasses due to improper path traversal sequence sanitization
A flaw was found in Node.js. Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwritten with user-defined implementations, leading to a filesystem permission model bypass through a path traversal attack...
CVE-2024-28246 KaTeX is missing normalization of the protocol in URLs allows bypassing forbidden protocols
KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow fo...
GHSA-3WC5-FCW2-2329 KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols
Impact Code that uses KaTeX's trust option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate javascript: links in the...
KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols
Impact Code that uses KaTeX's trust option, specifically that provides a function to block-list certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow for malicious input to generate javascript: links in the...
PT-2024-22361
Name of the Vulnerable Software and Affected Versions: KaTeX versions prior to 0.16.10 Description: KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option can be fooled by URLs in malicious inputs that use uppercase characters in the protocol, allowin...
CVE-2024-29180
A flaw was found in the webpack-dev-middleware package, where it failed to validate the supplied URL address sufficiently before returning local files. This flaw allows an attacker to craft URLs to return arbitrary local files from the developer's machine. The lack of normalization before calling...
Path traversal in webpack-dev-middleware
Summary The webpack-dev-middleware middleware does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer's machine. Details The middleware can either work with the physical filesystem when reading the files or it can...