CVE-2024-3166

Summary: CVE-2024-3166 affects mintplex-labs/anything-llm, including desktop v1.2.0 to v1.4.1 and the web app. The vulnerability is an XSS in the feature that fetches and embeds external website content into workspaces, with a route to Remote Code Execution in the desktop app due to Electron sett...

AnythingLLM Cross-Site Scripting Vulnerability

AnythingLLM is a business-compliant document chatbot. A cross-site scripting vulnerability exists in AnythingLLM that stems from the application's ability to fetch content from a website and embed it in the workspace, which can be exploited to execute arbitrary JavaScript code...

GHSA-4M3G-6R7G-JV4F Arbitrary JavaScript execution due to using outdated libraries

Summary gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution. PoC 1. Generate a pdf file with a malicious script in the fontmatrix. This will run alert‘XSS’. poc.pdf 2. Run the app. In this PoC, I've used the demo...

Cross-Site Scripting (XSS)

typo3/cms-core is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper user input encoding of notifications shown in modal windows within the TYPO3 backend, which allows an attacker with a valid backend user account to execute arbitrary JavaScript in a users browser...

PDF.js < 4.2.67 - Arbitrary JavaScript Execution

Description PDF.js is vulnerable to Arbitrary JavaScript Execution in versions prior to 4.2.67. This is due to a missing type check when handling fonts. This makes it possible for authenticated attackers, with contributor-level or above permissions, to execute arbitrary JavaScript if they can...

CVE-2024-31907

IBM Planning Analytics Local 2.0 and 2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 289889...

CVE-2024-25976

When LDAP authentication is activated in the configuration it is possible to obtain reflected XSS execution by creating a custom URL that the victim only needs to open in order to execute arbitrary JavaScript code in the victim's browser. This is due to a fault in the file login.php where the...

CVE-2024-25976

When LDAP authentication is activated in the configuration it is possible to obtain reflected XSS execution by creating a custom URL that the victim only needs to open in order to execute arbitrary JavaScript code in the victim's browser. This is due to a fault in the file login.php where the...

CVE-2024-25976

The CVE-2024-25976 entry refers to HAWKI (HAWK Digital Environments)—a university teaching interface. When LDAP authentication is enabled, the application reflects the value of $_SERVER['PHP_SELF'] in login.php, enabling reflected XSS that allows arbitrary JavaScript execution in the victim’s bro...

Code Injection

pug is vulnerable to Code execution. The vulnerability is due to the lack of proper input validation for the name option in the compileClient, compileFileClient, or compileClientWithDependenciesTracked functions, which allows attackers to execute arbitrary JavaScript code in the context of the...

IBM Security Guardium Cross-Site Scripting Vulnerability (CNVD-2024-26498)

IBM Security Guardium is a suite of platforms from International Business Machines IBM that provide data protection capabilities. The platform includes features such as custom UI, report management and streamlined audit process building. A cross-site scripting vulnerability exists in IBM Security...

Tmont Pug 安全漏洞

Tmont Pug is a Tmont open source application. It provides a way to optimize html. A security vulnerability exists in Tmont Pug 3.0.2 and prior versions that stems from the presence of untrusted input that allows execution of arbitrary JavaScript code...

SUSE-SU-2024:1770-1 Security update for MozillaFirefox

This update for MozillaFirefox fixes the following issues: Update to version 115.11.0 ESR bsc1224056: - CVE-2024-4367: Arbitrary JavaScript execution in PDF.js - CVE-2024-4767: IndexedDB files retained in private browsing mode - CVE-2024-4768: Potential permissions request bypass via clickjacking...

Mozilla: Arbitrary JavaScript execution in PDF.js

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context...

Mageia: Security Advisory (MGASA-2024-0189)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Mageia: Security Advisory (MGASA-2024-0191)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

MGASA-2024-0191 Updated thunderbird packages fix security vulnerabilities

Arbitrary JavaScript execution in PDF.js. CVE-2024-4367 IndexedDB files retained in private browsing mode. CVE-2024-4767 Potential permissions request bypass via clickjacking. CVE-2024-4768 Cross-origin responses could be distinguished between script and non-script content-types. CVE-2024-4769...

Updated nss & firefox packages fix security vulnerabilities

Arbitrary JavaScript execution in PDF.js. CVE-2024-4367 IndexedDB files retained in private browsing mode. CVE-2024-4767 Potential permissions request bypass via clickjacking. CVE-2024-4768 Cross-origin responses could be distinguished between script and non-script content-types. CVE-2024-4769...

AlmaLinux 9 : firefox (ALSA-2024:2883)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:2883 advisory. - A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affec...

Mozilla: Arbitrary JavaScript execution in PDF.js

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context...