Passing in a non-string 'html' argument can lead to unsanitized output

A type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. Impact XS...

GHSA-QXG5-2QFF-P49R Passing in a non-string 'html' argument can lead to unsanitized output

A type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. Impact XS...

CVE-2021-21666

Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting XSS vulnerability...

Cross site scripting

Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting XSS vulnerability...

CVE-2021-32670

Datasette is an open source multi-tool for exploring and publishing data. The ?trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation...

PYSEC-2021-89

Datasette is an open source multi-tool for exploring and publishing data. The ?trace=1 debugging feature in Datasette does not correctly escape generated HTML, resulting in a reflected cross-site scripting vulnerability. This vulnerability is particularly relevant if your Datasette installation...

OAuth2 Redirect URL validity does not respect query parameters and character casing for loopback addresses

Impact fosite400 released as v0.30.2 introduced a new feature for handling redirect URLs pointing to loopback interfaces rfc8252section-7.3. As part of that change new behavior was introduced which failed to respect the redirect URL's only for loopback interfaces! query parameters 1. Registering ...

GHSA-RFQ3-W54C-F9Q5 OAuth2 Redirect URL validity does not respect query parameters and character casing for loopback addresses

Impact fosite400 released as v0.30.2 introduced a new feature for handling redirect URLs pointing to loopback interfaces rfc8252section-7.3. As part of that change new behavior was introduced which failed to respect the redirect URL's only for loopback interfaces! query parameters 1. Registering ...

Huawei EulerOS: Security Advisory for python (EulerOS-SA-2021-1911)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2020-4985

IBM Planning Analytics Local 2.0 could allow an attacker to obtain sensitive information due to accepting body parameters in a query. IBM X-Force ID: 192642...

Prototype Pollution in backbone-query-parameters

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype...

GHSA-8QPM-5C82-RF96 Prototype Pollution in backbone-query-parameters

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype...

CVE-2021-20085

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype...

Buffer overflow

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype...

CVE-2021-20085

Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution' in backbone-query-parameters 0.4.0 allows a malicious user to inject properties into Object.prototype...

CVE-2021-20085

CVE-2021-20085 affects backbone-query-parameters 0.4.0 and describes a prototype pollution flaw: improperly controlled modification of Object.prototype that enables a malicious user to inject properties into Object.prototype. The connected documents consistently reference this vulnerability and i...

backbone-query-parameters 安全漏洞

backbone-query-parameters is an application. Copy ribs.queryparams.js into the environment and include it after ribs.js. A security vulnerability exists in backbone-query-parameters 0.4.0, which stems from an improperly controlled modification of an object prototype property that allows a malicio...

PT-2021-13763 · Unknown · Backbone-Query-Parameters

Name of the Vulnerable Software and Affected Versions: backbone-query-parameters version 0.4.0 Description: The issue is related to improperly controlled modification of object prototype attributes, also known as 'Prototype Pollution'. This allows a malicious user to inject properties into...

CVE-2021-24237

The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the keywordsearch, searchradius. bedrooms and bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue...

CVE-2021-31551

An issue was discovered in the PageForms extension for MediaWiki through 1.35.2. Crafted payloads for Token-related query parameters allowed for XSS on certain PageForms-managed MediaWiki pages...