Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()

Summary The setCookie utility did not validate semicolons ;, carriage returns \r, or newline characters \n in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if...

CVE-2025-9710

The Responsive Lightbox & Gallery WordPress plugin before 2.5.3 does not properly handle HTML tag attributes modifications, potentially allowing unauthenticated attackers to abuse the functionality to include event handlers and conduct Stored XSS attacks...

CVE-2025-6107

A vulnerability was found in comfyanonymous comfyui 0.3.40. It has been classified as problematic. Affected is the function setattr of the file /comfy/utils.py. The manipulation leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The complexity of an...

ComfyUI 安全漏洞

ComfyUI is one of the most powerful and modular diffusion model GUIs and backends for comfyanonymous individual developers. A security vulnerability exists in ComfyUI version 0.3.40, which stems from a dynamic attribute issue that could lead to object attribute manipulation...

CVE-2023-40261

Diebold Nixdorf Vynamic Security Suite VSS before 3.3.0 SR17, 4.0.0 SR07, 4.1.0 SR04, 4.2.0 SR04, and 4.3.0 SR02 fails to validate file attributes during the Pre-Boot Authorization PBA process. This can be exploited by a physical attacker who is able to manipulate the contents of the system's har...

Critical 'nOAuth' Flaw in Microsoft Azure AD Enabled Complete Account Takeover

A security shortcoming in Microsoft Azure Active Directory AD Open Authorization OAuth process could have been exploited to achieve full account takeover, researchers said. California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubb...

Ecommerse v1.0 - Cross-Site Scripting (XSS)

Title: Ecommerse v1.0 - Cross-Site Scripting XSS Author: nu11secur1ty Date: 11.23.2022 Vendor: https://github.com/winston-dsouza Software: https://github.com/winston-dsouza/ecommerce-website Reference:...

CVE-2022-4524

The CVE-2022-4524 entry describes a cross-site scripting vulnerability in Roots soil Plugin up to 4.0.x, affecting language_attributes() in src/Modules/CleanUpModule.php due to improper neutralization of the language parameter. A remote attacker could exploit it; upgrading to 4.1.0 fixes this, wi...

Microsoft Active Directory Domain Services Privilege Escalation Vulnerability

An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow for privilege escalation to SYSTEM...

Prototype Pollution

nconf is vulnerable to prototype pollution. The function prototype.set allows an attacker to get control of value of “path” and modify attributes such as proto, constructor and prototype...

Cross site scripting

This affects the package Crow before 0.3+4. When using attributes without quotes in the template, an attacker can manipulate the input to introduce additional attributes, potentially executing code. This may lead to a Cross-site Scripting XSS vulnerability, assuming an attacker can influence the...

CVE-2021-43782

Tuleap is a Libre and Open Source tool for end to end traceability of application and system developments. This is a follow up to GHSA-887w-pv2r-x8pm/CVE-2021-41276, the initial fix was incomplete. Tuleap does not sanitize properly the search filter built from the ldapid attribute of a user durin...

PYSEC-2019-118

In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify object attributes to construct a remote procedure call that executes code for an RPyC service with default configuration settings...

WebKit - WebCore::AccessibilityRenderObject::handleAriaExpandedChanged Use-After-Free Exploit

Exploit for multiple platform in category dos / poc div visibility: collapse function eventhandler document.execCommand"bold", false; img.style.removeProperty"-webkit-appearance"; img.setAttribute"aria-expanded", "false"; aaa !-- =================================================================...

Apple Plugs 48 Security Holes in Safari Browser

Apple has shipped new versions of its Safari browser with patches for at least 48 security vulnerabilities. The Safari 4.1 and 5.0 updates, considered “highly critical,” is available for both Windows and Mac OS X. Exploitation of some of these vulnerabilities could lead to drive-by download remot...

Design/Logic Flaw

Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, Safari before 4.1 on Mac OS X 10.4, and Safari on Apple iPhone OS allows remote attackers to execute arbitrary code or cause a denial of service application crash, or read the SMS database...