CVE-2024-34078

html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...

CVE-2024-34078

CVE-2024-34078 affects the html-sanitizer library. When keep_typographic_whitespace is false (default), Unicode is normalized to NFKC at the end, and some characters can normalize to chevrons, allowing specially crafted HTML to bypass sanitization. Exploitation could enable HTML injection within ...

CVE-2024-34078 html-sanitizer allows arbitrary HTML present after sanitization because of unicode normalization

html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...

CVE-2024-34078 html-sanitizer allows arbitrary HTML present after sanitization because of unicode normalization

html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...

CVE-2024-34078 html-sanitizer allows arbitrary HTML present after sanitization because of unicode normalization

html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...

CVE-2024-23826 Uploading an image with a specific filename causes a server-side DoS

spbusesite is the website of the Department of System Programming of St. Petersburg State University. Before 2024.01.29, when uploading an avatar image, an authenticated user may intentionally use a large Unicode filename which would lead to a server-side denial of service under Windows. This is...

CVE-2024-23826 Uploading an image with a specific filename causes a server-side DoS

spbusesite is the website of the Department of System Programming of St. Petersburg State University. Before 2024.01.29, when uploading an avatar image, an authenticated user may intentionally use a large Unicode filename which would lead to a server-side denial of service under Windows. This is...

CVE-2024-23826

The CVE-2024-23826 affects the spbu_se_site web application (St. Petersburg State University). Before 2024-01-29, authenticated users could upload an avatar image with a very large Unicode filename, triggering a server-side DoS on Windows due to unbounded filename length and costly Unicode normal...

PT-2024-20108 · Microsoft · Windows

Name of the Vulnerable Software and Affected Versions: spbu se site versions prior to 2024.01.29 Description: The issue arises when an authenticated user uploads an avatar image with a large Unicode filename, leading to a server-side denial of service under Windows. This is due to the lack of...

GHSA-WPMX-564X-H2MH ewen-lbh/ffcss Late-Unicode normalization vulnerability

Summary The function lookupPreprocess is meant to apply some transformations to a string by disabling characters in the regex - .. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex - .. go ...

ewen-lbh/ffcss Late-Unicode normalization vulnerability

Summary The function lookupPreprocess is meant to apply some transformations to a string by disabling characters in the regex - .. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex - .. go ...

CVE-2023-52081

ffcss is a CLI interface to apply and configure Firefox CSS themes. Prior to 0.2.0, the function lookupPreprocess is meant to apply some transformations to a string by disabling characters in the regex - .. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypa...

Input validation

ffcss is a CLI interface to apply and configure Firefox CSS themes. Prior to 0.2.0, the function lookupPreprocess is meant to apply some transformations to a string by disabling characters in the regex - .. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypa...

CVE-2023-52081 ewen-lbh/ffcss late-Unicode normalization vulnerability

ffcss is a CLI interface to apply and configure Firefox CSS themes. Prior to 0.2.0, the function lookupPreprocess is meant to apply some transformations to a string by disabling characters in the regex - .. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypa...

PT-2023-31913 · Ffcss · Ffcss

Name of the Vulnerable Software and Affected Versions: ffcss versions prior to 0.2.0 Description: The issue concerns a Late-Unicode normalization vulnerability in the lookupPreprocess function, which is used to search for themes loosely by ignoring certain characters. Due to the use of late Unico...

CVE-2023-42183

lockss-daemon aka Classic LOCKSS Daemon before 1.77.3 performs post-Unicode normalization, which may allow bypass of intended access restrictions, such as when U+1FEF is converted to a backtick...

CVE-2023-42183

lockss-daemon aka Classic LOCKSS Daemon before 1.77.3 performs post-Unicode normalization, which may allow bypass of intended access restrictions, such as when U+1FEF is converted to a backtick...

CVE-2023-42183

lockss-daemon aka Classic LOCKSS Daemon before 1.77.3 performs post-Unicode normalization, which may allow bypass of intended access restrictions, such as when U+1FEF is converted to a backtick...

Security feature bypass

lockss-daemon aka Classic LOCKSS Daemon before 1.77.3 performs post-Unicode normalization, which may allow bypass of intended access restrictions, such as when U+1FEF is converted to a backtick...

CVE-2023-42183

CVE-2023-42183 affects lockss-daemon (Classic LOCKSS Daemon) versions prior to 1.77.3. The issue stems from post-Unicode normalization that may allow bypass of access restrictions (e.g., U+1FEF becoming a backtick). The Red Hat/NVD/OSV and related records confirm a security feature bypass in thes...