928 matches found
Invenio-Drafts-Resources 安全漏洞
Invenio-Drafts-Resources is a submission/deposit module for Invenio. It is used for research data management. A security vulnerability exists in Invenio-Drafts-Resources versions prior to 0.13.7 and 0.14.6, which stems from a failure to properly check permissions in the affected product. The...
Overview: OWASP Top 10 2021
The long-awaited OWASP Top 10 2021 draft edition is here. We take you through the changes, new vulnerabilities, and the triggers, enabling you to secure your apps against the latest threats...
CVE-2021-24635 Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls
The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user such as subscriber to call them and 1 Get and search through title and content of Draft post, ...
PT-2021-16151 · WordPress · Visual Link Preview
Name of the Vulnerable Software and Affected Versions: Visual Link Preview WordPress plugin versions prior to 2.2.3 Description: The issue allows any authenticated user to call several AJAX actions without proper authorization, due to the CSRF nonce being displayed for all authenticated users. Th...
Cross-Site Request Forgery (CSRF) in justingit/dada-mail
✍️ Description Attacker able to Add any Draft with CSRF attack. In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with visiting a...
Cross-Site Request Forgery (CSRF) in justingit/dada-mail
✍️ Description Attacker able to delete any Draft with CSRF attack. In CSRF attacks it is necessary that a user logged into your application and just going to a malicious website and after that only with a redirection attacker can perform attack on unprotected endpoint, this means only with visitin...
Visual Link Preview < 2.2.3 - Unauthorised AJAX Calls
The plugin does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user such as subscriber to call them and 1 Get and search through title and content of Draft post, 2 Get title of a password-protected post as...
Moodle 资源管理错误漏洞
Moodle is a free, open source e-learning software platform, also known as a course management system, learning management system, or virtual learning environment. Moodle suffers from a resource management error vulnerability that stems from insufficient validation of user-supplied input in the...
PT-2021-3117 · Moodle +1 · Moodle +1
Name of the Vulnerable Software and Affected Versions: Moodle versions 3.5 to 3.5.17 Moodle versions 3.8 to 3.8.8 Moodle versions 3.9 to 3.9.6 Moodle versions 3.10 to 3.10.3 Description: A denial-of-service risk was identified in the draft files area, due to it not respecting user file upload...
Cross-Site Scripting
Overview react-draft-wysiwyg aka React Draft Wysiwyg before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS. Recommendation Upgrade to version 1.14.6 or later References - CVE - GitHub Advisory...
@1studio/ui (>=1.0.7 <=2.83.0), @cloudacademy/integrations (>=0.0.2 <=0.0.15) +51 more potentially affected by CVE-2021-31712 via react-draft-wysiwyg (>=1.10.0 <=1.14.5)
react-draft-wysiwyg NPM version =1.10.0, =1.0.7, =0.0.2, =2.1.15, =0.1.0, =1.0.0, =1.0.0, =0.1.1, =0.1.5, =0.8.6, =0.0.15, =2.1.19, =1.0.0, =0.10.5, =0.0.8, =0.2.5 and more Source cves: CVE-2021-31712 Source advisory: OSV:GHSA-QCG2-H349-VWM3...
GHSA-QCG2-H349-VWM3 Cross-site Scripting in React Draft Wysiwyg
react-draft-wysiwyg aka React Draft Wysiwyg before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS...
Cross-site Scripting in React Draft Wysiwyg
react-draft-wysiwyg aka React Draft Wysiwyg before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS...
CVE-2021-31712
react-draft-wysiwyg aka React Draft Wysiwyg before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS...
CVE-2021-31712
react-draft-wysiwyg aka React Draft Wysiwyg before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS...
Cross site scripting
react-draft-wysiwyg aka React Draft Wysiwyg before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS...
CVE-2021-31712
react-draft-wysiwyg aka React Draft Wysiwyg before 1.14.6 allows a javascript: URi in a Link Target of the link decorator in decorators/Link/index.js when a draft is shared across users, leading to XSS...
CVE-2021-31712
React Draft Wysiwyg (react-draft-wysiwyg) prior to 1.14.6 is vulnerable to XSS via a javascript: URI in a Link Target within decorators/Link/index.js when a draft is shared across users. The issue is documented across multiple feeds (including CVE-2021-31712 entries and Red Hat/Veracode advisorie...
react-draft-wysiwyg 跨站脚本漏洞
react-draft-wysiwyg is an application. Wysiwyg editor built with ReactJS and DraftJS libraries. A cross-site scripting vulnerability exists in react-draft-wysiwyg versions prior to 1.14.6, which stems from allowing a javascript: URi in decorators/Link/index.js...
Zammad Information Disclosure Vulnerability (CNVD-2020-75059)
Zammad is a Web-based open source helpdesk/customer support system. An information disclosure vulnerability exists in Zammad versions prior to 3.4.1. The vulnerability can be exploited by an attacker to gain unauthorized access to a knowledge base draft via the global search function...