8549 matches found
CVE-2024-3188
CVE-2024-3188 affects the WordPress plugin Shortcodes Ultimate (Shortcodes Plugin) up to version 7.0.x (pre-7.1.0). The issue is a lack of validation/escaping of certain shortcode attributes, which are output back into the page/post containing the shortcode. This can enable Stored Cross-Site Scri...
jinja2: HTML attribute injection when passing user input as keys to xmlattr filter
A cross-site scripting XSS flaw was found in Jinja2 due to the xmlattr filter allowing keys with spaces, contrary to XML/HTML attribute standards. If an application accepts user-input keys and renders them for other users, attackers can inject additional attributes, potentially leading to XSS. Th...
CVE-2024-2799
CVE-2024-2799 affects the Royal Elementor Addons and Templates WordPress plugin. The issue is stored XSS via Image Grid and Advanced Text widgets due to insufficient input sanitization and output escaping in user-supplied attributes, allowing an authenticated attacker with contributor+ privileges...
Denial Of Service (DoS)
FRRouting/frr is vulnerable to Denial of Service DoS. This vulnerability occurs due to improper handling of the Prefix SID attribute in the bgpattrmalformed function within bgpattr.c, leading to a crash of the bgpd daemon...
EulerOS Virtualization 2.10.1 : python-jinja2 (EulerOS-SA-2024-1554)
According to the versions of the python-jinja2 package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax...
SUSE CVE-2023-52643
In the Linux kernel, the following vulnerability has been resolved: iio: core: fix memleak in iiodeviceregistersysfs When iiodeviceregistersysfsgroup fails, we should free iiodevopaque-chanattrgroup.attrs to prevent potential memleak...
SUSE CVE-2024-26836
In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix password opcode ordering for workstations The Lenovo workstations require the password opcode to be run before the attribute value is changed if Admin password is enabled. Tested on some Thinkpads to...
jinja2: HTML attribute injection when passing user input as keys to xmlattr filter
A cross-site scripting XSS flaw was found in Jinja2 due to the xmlattr filter allowing keys with spaces, contrary to XML/HTML attribute standards. If an application accepts user-input keys and renders them for other users, attackers can inject additional attributes, potentially leading to XSS. Th...
PT-2024-21797 · WordPress · Otter Blocks
Name of the Vulnerable Software and Affected Versions: Otter Blocks WordPress plugin versions prior to 2.6.6 Description: The issue arises from the Otter Blocks WordPress plugin not properly escaping its mainHeadings blocks' attribute before appending it to the final rendered block. This allows...
WordPress Plugin Element Pack Elementor Addons 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...
CVE-2024-32472
The CVE-2024-32472 entry details a stored XSS in Excalidraw’s web embeddable component. Two vectors exist: (1) untrusted content rendered as an iframe srcdoc without proper HTML sanitization, and (2) improper sanitization against attribute HTML injection, exacerbated by allow-same-origin in the s...
com.charlyghislain.keycloak:keycloak-importexport (=21.0.0), com.github.vzakharchenko:chillispot-radius-plugin (>=1.4.10 <=1.4.11) +79 more potentially affected by CVE-2024-2419 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=22.0.1)
org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =0.3.0-20.0.1, =0.4.5-20.0.2, =1.0.1, =1.3.2, =1.3.6 - io.github.jeff-tian:keycloak-phone-provider =2.3.10 and more Source cves: CVE-2024-2419 Source advisor...
CVE-2024-26836
In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix password opcode ordering for workstations The Lenovo workstations require the password opcode to be run before the attribute value is changed if Admin password is enabled. Tested on some Thinkpads to...
CVE-2024-32463 phlex makes Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags
phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an tag...
CVE-2024-32463
The CVE-2024-32463 entry concerns phlex, a Ruby-based open source framework for building object-oriented views. The vulnerability is an XSS flaw in the handling of href attributes on tags, where the javascript: scheme can be bypassed by inserting tab or newline characters (e.g., java\tscript:). ...
Cross Site Scripting (XSS)
phlex is vulnerable to Cross Site Scripting. The vulnerability is due improper filtering of javascript: URL scheme within the href attribute of an tag, which allows an attacker to insert tab \t or newline \n characters between the characters of the protocol, resulting in Cross Site Scripting...
DEBIAN-CVE-2024-26849
In the Linux kernel, the following vulnerability has been resolved: netlink: add nla be16/32 types to minlen array BUG: KMSAN: uninit-value in nlavalidaterangeunsigned lib/nlattr.c:222 inline BUG: KMSAN: uninit-value in nlavalidateintrange lib/nlattr.c:336 inline BUG: KMSAN: uninit-value in...
CVE-2024-26849
In the Linux kernel, the following vulnerability has been resolved: netlink: add nla be16/32 types to minlen array BUG: KMSAN: uninit-value in nlavalidaterangeunsigned lib/nlattr.c:222 inline BUG: KMSAN: uninit-value in nlavalidateintrange lib/nlattr.c:336 inline BUG: KMSAN: uninit-value in...
CVE-2024-26855
CVE-2024-26855 – Linux kernel (net/ice) : The vulnerability is a NULL pointer dereference in ice_bridge_setlink(). If nlmsg_find_attr() returns NULL, br_spec may be dereferenced during nla_for_each_nested(), causing a crash/local impact. The fix adds an explicit check that br_spec is not NULL bef...
CVE-2024-26836
In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix password opcode ordering for workstations The Lenovo workstations require the password opcode to be run before the attribute value is changed if Admin password is enabled. Tested on some Thinkpads to...