8549 matches found
CVE-2024-28199 Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex
phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you...
Cross site scripting
The Enhanced Text Widget WordPress plugin before 1.6.6 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is...
PT-2024-10411 · Ibm · Ibm Security Directory Integrator +1
Name of the Vulnerable Software and Affected Versions: IBM Security Directory Integrator version 7.2.0 IBM Security Verify Directory Integrator version 10.0.0 Description: The issue is related to the absence of the secure attribute in session cookies, allowing attackers to obtain cookie values by...
PT-2024-10410 · Ibm · Ibm Security Directory Integrator +1
Name of the Vulnerable Software and Affected Versions: IBM Security Directory Integrator version 7.2.0 IBM Security Verify Directory Integrator version 10.0.0 Description: The issue is related to the absence of the secure attribute in session cookies, which may allow attackers to obtain cookie...
Fedora: Security Advisory for voms-clients-java (FEDORA-2024-129d8ca6fc)
The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Fedora: Security Advisory for voms-api-java (FEDORA-2024-129d8ca6fc)
The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
[SECURITY] Fedora 40 Update: voms-clients-java-3.3.2-13.fc40
The Virtual Organization Membership Service VOMS is an attribute authority which serves as central repository for VO user authorization information, providing support for sorting users into group hierarchies, keeping track of their roles and other attributes in order to issue trusted attribute...
[SECURITY] Fedora 40 Update: voms-api-java-3.3.2-16.fc40
The Virtual Organization Membership Service VOMS is an attribute authority which serves as central repository for VO user authorization information, providing support for sorting users into group hierarchies, keeping track of their roles and other attributes in order to issue trusted attribute...
CVE-2024-1506
The Prime Slider – Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titletags' attribute of the Fiestar widget in all versions up to, and including, 3.13.1 due to insufficient input sanitization and output escaping. This makes it possible for...
WordPress Plugin Restaurant Reservations Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which supports personal blogs on PHP and MySQL servers.WordPress plugin is an...
WordPress Plugin Prime Slider Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...
BIT-GITLAB-2022-0167
An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not disabling the Autocomplete attribute of fields related to sensitive information making i...
BIT-GITLAB-2022-0427
Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover...
BIT-MAGENTO-2021-21015 Magento Commerce Unauthorized Data Modification Could Lead to Arbitrary Code Execution
Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier are vulnerable to an OS command injection via the customer attribute save controller. Successful exploitation could lead to arbitrary code execution by an authenticated attacker. Access to the admin console is required fo...
BIT-GOLANG-2023-29400 Improper handling of empty HTML attributes in html/template
Templates containing actions in unquoted HTML attributes e.g. "attr=." executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags...
SUSE CVE-2023-52520
In the Linux kernel, the following vulnerability has been resolved: platform/x86: think-lmi: Fix reference leak If a duplicate attribute is found using ksetfindobj, a reference to that attribute is returned which needs to be disposed accordingly using kobjectput. Move the setting name validation...
PT-2024-2537 · Rpyc +1 · Rpyc +1
Name of the Vulnerable Software and Affected Versions: RPyC versions prior to 6.0.0 Description: The issue is related to the netref component of the RPyC Python library, which has an incorrect security check for standard elements. This can allow a remote attacker to execute arbitrary code by...
jinja2: HTML attribute injection when passing user input as keys to xmlattr filter
A cross-site scripting XSS flaw was found in Jinja2 due to the xmlattr filter allowing keys with spaces, contrary to XML/HTML attribute standards. If an application accepts user-input keys and renders them for other users, attackers can inject additional attributes, potentially leading to XSS. Th...
frr: crash from specially crafted MP_UNREACH_NLRI-containing BGP UPDATE message
A flaw was found in frr. A crash can occur when processing a crafted BGP UPDATE message with a MPUNREACHNLRI attribute and additional NLRI data that lacks mandatory path attributes...
389-ds-base: a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)
A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in logentryattr...