CVE-2024-28234

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. A...

CVE-2024-28234 Contao has insufficient BBCode sanitizer

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. A...

CVE-2024-28234 Contao has insufficient BBCode sanitizer

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. A...

CVE-2024-28234

Contao is affected when BBCode is enabled for comments, allowing CSS injection via BBCode in user comments. The issue affects Contao 2.0.0 and earlier, and versions prior to 4.13.40 and 5.3.4. Patch versions are Contao 4.13.40 and 5.3.4, which fix the vulnerability. As a workaround, disable BBCod...

CVE-2024-28234 Contao has insufficient BBCode sanitizer

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. A...

[SECURITY] Fedora 40 Update: javaparser-3.25.8-3.fc40

This package contains a Java 1 to 13 Parser with AST generation and visitor support. The AST records the source code structure, javadoc and comments. It is also possible to change the AST nodes or create new ones to modify the source code...

BIT-GITLAB-2020-10975

GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page...

BIT-ODOO-2021-44465

Improper access control in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier allows authenticated attackers to subscribe to receive future notifications and comments related to arbitrary business records in the system, via crafted RPC requests...

CVE-2024-24784

A flaw was found in Go's net/mail standard library package. The ParseAddressList function incorrectly handles comments text within parentheses within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions made by programs using...

CVE-2024-24784

The CVE-2024-24784 issue affects Go’s net/mail component (ParseAddressList) where comments in display names are incorrectly handled, causing mismatched trust decisions across parsers. The connected Astra Linux and Red Hat/AlmaLinux advisories confirm this vulnerability and tie it to golang/net/ma...

CVE-2024-24784 Comments in display names are incorrectly handled in net/mail

The ParseAddressList function incorrectly handles comments text within parentheses within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers...

CVE-2021-47045

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix null pointer dereference in lpfcprepelsiocb It is possible to call lpfcissueelsplogi passing a did for which no matching ndlp is found. A call is then made to lpfcprepelsiocb with a null pointer to a lpfcnodelist...

Authorization Bypass in moodle

Insufficient checks in a web service made it possible to add comments to the comments block on another user's dashboard when it was not otherwise available e.g., on their profile page...

CVE-2023-41703

User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are now filtered to avo...

CVE-2023-41703

User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are now filtered to avo...

[SECURITY] Fedora 38 Update: python-nikola-8.3.0-1.fc38

Nikola is a static site and blog generator using Python. It generates sites with tags, feeds, archives, comments, and more from plain text files. Source can be unformatted, or formatted with reStructuredText or Markdown. It also automatically builds image galleries...

Malicious input can provoke XSS when preserving comments

Impact There is a potential for a mutation XSS mXSS vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the preserveComments directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in...

CVE-2021-4227

The ark-commenteditor WordPress plugin through 2.15.6 does not properly sanitise or encode the comments when in Source editor, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page to the comment section...

Design/Logic Flaw

The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment...

GitLab 11.1 < 14.3.6 / 14.4 < 14.4.4 / 14.5 < 14.5.2 (CVE-2021-39918)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a use...