125 matches found
CVE-2024-2000
The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'navigationdots' parameter of the Multi Scroll Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
WordPress Plugin Premium Addons PRO Security Vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...
PT-2024-18488 · WordPress · Premium Addons Pro
Name of the Vulnerable Software and Affected Versions: Premium Addons PRO plugin for WordPress versions up to, and including, 2.9.12 Description: The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in the navigation dots parameter of the...
CVE-2024-23340
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...
CVE-2024-23340 @hono/node-server can't handle "double dots" in URL
@hono/node-server is an adapter that allows users to run Hono applications on Node.js. Since v1.3.0, @hono/node-server has used its own Request object with url behavior that is unexpected. In the standard API, if the URL contains .., here called "double dots", the URL string returned by Request...
Sudo Path Traversal Vulnerability
Sudo is a program used on Unix-like systems that allows users to execute commands with special privileges in a secure manner. A security vulnerability exists in Sudo-rs versions prior to 0.2.1, which stems from the fact that a username containing the . and / characters could cause specific files ...
CVE-2023-2813 Multiple Themes - Reflected XSS
All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordPress theme through 1.1, Arendelle WordPress theme before 1.1.13, Atlast Business WordPress theme through 1.5.8.5, Bazaar Lite WordPress theme before 1.8.6, Brain Power WordPress theme through 1.2,...
PT-2023-19184 · Ubiquiti · Edgerouter X
Name of the Vulnerable Software and Affected Versions: Ubiquiti EdgeRouter X versions up to 2.0.9-hotfix.6 Description: A critical issue affects the Web Management Interface component. The manipulation of the dpi argument leads to command injection, allowing remote attacks. The issue has been...
SUSE CVE-2008-3660
PHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service crash via a request with multiple dots preceding the extension, as demonstrated using foo..php...
SUSE CVE-2011-4681
Opera before 11.60 does not properly consider the number of . dot characters that conventionally exist in domain names of different top-level domains, which allows remote attackers to bypass the Same Origin Policy by leveraging access to a different domain name in the same top-level domain, as...
SUSE CVE-2015-0235
Heap-based buffer overflow in the nsshostnamedigitsdots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the 1 gethostbyname or 2 gethostbyname2 function, aka "GHOST."...
SUSE CVE-2019-13464
An issue was discovered in OWASP ModSecurity Core Rule Set CRS 3.0.2. Use of X.Filename instead of XFilename can bypass some PHP Script Uploads rules, because PHP automatically transforms dots into underscores in certain contexts where dots are invalid...
SUSE CVE-2022-37866
When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characte...
OpenSSL 安全漏洞
OpenSSL is a powerful, commercial-grade, full-featured open source toolkit for the Transport Layer Security TLS protocol, which is implemented based on the Full Strength Common Cryptographic Library for protecting communications on computer networks from eavesdropping and is widely used by Intern...
CVE-2022-30115
Using its HSTS support, curl can be instructed to use HTTPS directly insteadof using an insecure clear-text HTTP step even when HTTP is provided in theURL. This mechanism could be bypassed if the host name in the given URL used atrailing dot while not using one when it built the HSTS cache. Or th...
GHSA-6Q4G-84F3-MW74 Improper handling of equivalent directory names on Windows in Jenkins
Jenkins stores jobs and other entities on disk using their name shown on the UI as file and folder names. On Windows, when specifying a file or folder with a trailing dot character example., the file or folder will be treated as if that character was not present example. As both are legal names f...
PT-2025-8362 · Linux +2 · Linux Kernel +2
Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: A vulnerability in the Linux kernel has been identified, which can cause a kernel panic. The issue arises when the inline dots flag is set in a special file, such as a character, block...
DEBIAN-CVE-2021-3907
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa, which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine...
UBUNTU-CVE-2021-3907
OctoRPKI does not escape a URI with a filename containing "..", this allows a repository to create a file, ex. rsync://example.org/repo/../../etc/cron.daily/evil.roa, which would then be written to disk outside the base cache folder. This could allow for remote code execution on the host machine...
PT-2021-14725 · Jenkins · Jenkins
Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.314 and earlier Jenkins LTS versions 2.303.1 and earlier Description: The issue arises from Jenkins accepting names of jobs and other entities with a trailing dot character on Windows, potentially allowing users with...