Cross-site Scripting (XSS)

Overview symfony/symfony is a PHP framework for web applications and a set of reusable PHP components. Affected versions of this package are vulnerable to Cross-site Scripting XSS via HtmlSanitizer due to improper sanitization of URL attributes on object, applet, iframe, img and meta refresh. By...

DEBIAN-CVE-2015-5236

It was discovered that the IcedTea-Web used codebase attribute of the tag on the HTML page that hosts Java applet in the Same Origin Policy SOP checks. As the specified codebase does not have to match the applet's actual origin, this allowed malicious site to bypass SOP via spoofed codebase value...

Oracle Java - APPLET Tag Children Property Memory Corruption

Source: http://skypher.com/index.php/2010/10/13/issue-18-oracle-java-applet-childre/ o=document.createElement"applet"; setTimeoutfunction x=o.children; location.reload; , 1; Tested with: Windows XP sp3 5.1.2600 MSIE 7.0.5730.13 MSIE 8.0.6001.18702 Sun Java Version 6 Update 20 1.6.020-b02...

CVE-2002-1291

The Microsoft Java implementation, as used in Internet Explorer, allows remote attackers to read arbitrary local files and network shares via an applet tag with a codebase set to a "file://%00" null character URL...

CVE-2002-1291

The Microsoft Java implementation, as used in Internet Explorer, allows remote attackers to read arbitrary local files and network shares via an applet tag with a codebase set to a "file://%00" null character URL...

EUVD-2002-1275

The Microsoft Java implementation, as used in Internet Explorer, allows remote attackers to read arbitrary local files and network shares via an applet tag with a codebase set to a "file://%00" null character URL...

CVE-2026-48761: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes on <object>, <applet>, <iframe>, <img> and the URL Inside <meta http-equiv="refresh"> content

More info at https://symfony.com/cve-2026-48761...