ONLYOFFICE Docs 跨站脚本漏洞

ONLYOFFICE Docs is an online office software from ONLYOFFICE, Inc. A cross-site scripting vulnerability exists in ONLYOFFICE Docs version 8.3.1 and prior versions, which stems from reflected cross-site scripting when opening a file via the WOPI protocol, which could lead to the execution of...

Important: Red Hat Security Advisory: Red Hat Developer Hub 1.5.2 release.

Red Hat Developer Hub 1.5.2 has been released. Red Hat Developer Hub RHDH is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters AKS, EKS, GKE. The core features of RHDH include a single...

com.codbex.phoebe:codbex-phoebe-application (>=0.2.0 <=2.44.0), org.springframework.cloud:spring-cloud-gateway-docs (>=4.2.1 <=4.2.2) +1 more potentially affected by CVE-2025-41235 via org.springframework.cloud:spring-cloud-gateway-server-mvc (>=4.2.0 <=4.2.2)

org.springframework.cloud:spring-cloud-gateway-server-mvc MAVEN version =4.2.0, =0.2.0, =4.2.1, =4.2.0, =4.2.2 Source cves: CVE-2025-41235 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKCLOUD-10265482...

com.codbex.phoebe:codbex-phoebe-application (>=0.2.0 <=2.44.0), org.springframework.cloud:httpclient (=4.1.9) +2 more potentially affected by CVE-2025-41235 via org.springframework.cloud:spring-cloud-gateway-server-mvc (>=4.1.7 <=4.2.2)

org.springframework.cloud:spring-cloud-gateway-server-mvc MAVEN version =4.1.7, =0.2.0, =4.1.7, =4.1.7, =4.2.2 Source cves: CVE-2025-41235 Source advisory: OSV:GHSA-6J2Q-C73V-97C5...

CVE-2024-9207

The BuddyPress Docs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of removequeryarg without appropriate escaping on the URL in all versions up to, and including, 2.2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

CVE-2024-44085

ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object attack against a macro. This is related to use of an immediately-invoked function expression IIFE for a macro. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446 and CVE-2023-50883...

CVE-2024-10664

The Knowledge Base documentation & wiki plugin – BasePress Docs plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the basepressdbpostsupdate function in all versions up to, and including, 2.16.3.3. This makes it possible for authenticated...

CVE-2024-35695

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Fahad Mahmood WP Docs allows Stored XSS.This issue affects WP Docs: from n/a through 2.1.3...

CVE-2024-37403

Ivanti Docs@Work for Android, before 2.26.0 is affected by the 'Dirty Stream' vulnerability. The application fails to properly sanitize file names, resulting in a path traversal-affiliated vulnerability. This potentially enables other malicious apps on the device to read sensitive information...

CVE-2024-56288

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Fahad Mahmood WP Docs wp-docs allows Stored XSS.This issue affects WP Docs: from n/a through = 2.2.1...

CVE-2024-11450

The ONLYOFFICE Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'onlyoffice' shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2024-12635

The WP Docs plugin for WordPress is vulnerable to time-based SQL Injection via the 'dirid' parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2023-32106

Unauth. Reflected Cross-Site Scripting XSS vulnerability in Fahad Mahmood WP Docs plugin = 1.9.9 versions...

CVE-2023-30873

Missing Authorization vulnerability in Fahad Mahmood WP Docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through 1.9.8...

CVE-2020-35467

The Docker Docs Docker image through 2020-12-14 contains a blank password for the root user. Systems deployed using affected versions of the Docker Docs container may allow a remote attacker to achieve root access with a blank password...

CVE-2019-13175

Read the Docs before 3.5.1 has an Open Redirect if certain user-defined redirects are used. This affects private instances of Read the Docs in addition to the public readthedocs.org web sites...

Arbitrary Code Injection

Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to Arbitrary Code Injection through the computefromdocs process. An attacker can execute arbitrary code by manipulating the input data to the QueryPlan.dataframecalc method. Remediati...

Malicious code in packer-docs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1782d63cb233376840f8858730ae3188cb861a13f2d159a3a045a4157017f0ac Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3913 Malicious code in packer-docs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1782d63cb233376840f8858730ae3188cb861a13f2d159a3a045a4157017f0ac Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in qlkube-docs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis f3dbf8b78dfd8c62a064365429aad674f445926ed19a43a3ac031b864d3fe2c1 The OpenSSF Package Analysis project identified 'qlkube-docs' @ 3.0.0 npm as malicious. It is considered malicious because: - The package execut...