OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender

Summary The Command Sender UI uses an unsafe eval function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if...

Web Ofisi Firma SQL注入漏洞

Web Ofisi Firma is a general-purpose corporate website script system developed by the Turkish company Web Ofisi. Version 13 of Web Ofisi Firma contains an SQL injection vulnerability, which stems from insufficient input validation for oz array parameters, potentially allowing SQL injection attack...

GHSA-J32J-2HXV-RQF7 pg-native and libpq vulnerable to uncontrolled resource consumption

pg-native before 3.0.1 and libpq before 1.8.10 are vulnerable to Denial of Service DoS when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed. Note: pg-native is a mere binding to npm's libpq library, which in turn has the addons...

Cross-site Scripting (XSS)

Overview tempura is an A light, crispy, and delicious template engine. Affected versions of this package are vulnerable to Cross-site Scripting XSS. If the input to the esc function is of type object i.e an array it is returned without being escaped/sanitized, leading to a potential Cross-Site...

Microsoft Edge Chakra - OP_Memset Type Confusion Exploit

Exploit for windows platform in category dos / poc Microsoft Edge Chakra - OPMemset Type Confusion / Since the patch for CVE-2018-8372, it checks all inputs to native arrays, and if any input equals to the MissingItem value which can cause type confusion, it starts the bailout process. But it...