CVE-2021-43206

The CVE-2021-43206 issue affects Fortinet FortiOS and FortiProxy. A server-generated error message can leak a web proxy’s client username and IP via same-origin HTTP requests that trigger proxy-generated HTTP status code pages. Affected FortiOS/FortiProxy ranges include FortiOS 7.0.0–7.0.3, 6.4.0...

CVE-2021-43206

A server-generated error message containing sensitive information in Fortinet FortiOS 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.x, 6.0.x and FortiProxy 7.0.0 through 7.0.1, 2.0.x allows malicious webservers to retrieve a web proxy's client username and IP via same origin HTTP requests...

Division by zero

I'm upgrading the following issue from a QA report issue 48 to Medium risk: Division by zero calculateDeviationThresholdBasisPoints was important enough to be in a separate library rather than being just a normal function of another contract so it should be generic enough for other contracts to u...

GHSA-C22J-84C7-CM77 TYPO3 leaks a hash secret in an error message

The jumpUrl mechanism in class.tslibfe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret juHash in an error message, which allows remote attackers to read arbitrary files by including the hash in a request...

TYPO3 leaks a hash secret in an error message

The jumpUrl mechanism in class.tslibfe.php in TYPO3 3.3.x through 3.8.x, 4.0 before 4.0.12, 4.1 before 4.1.10, 4.2 before 4.2.6, and 4.3alpha1 leaks a hash secret juHash in an error message, which allows remote attackers to read arbitrary files by including the hash in a request...

Cross-site scripting in Apache Struts

Cross-site scripting XSS vulnerability in 1 LookupDispatchAction and possibly 2 DispatchAction and 3 ActionDispatcher in Apache Software Foundation ASF Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting...

Apache Tomcat Discloses MS-DOS Pathname

Apache Tomcat 4.0.3, when running on Windows, allows remote attackers to obtain sensitive information via a request for a file that contains an MS-DOS device name such as lpt9, which leaks the pathname in an error message, as demonstrated by lpt9.xtp using Nikto...

GHSA-X89R-2WJQ-MJ7X Apache Tomcat Discloses MS-DOS Pathname

Apache Tomcat 4.0.3, when running on Windows, allows remote attackers to obtain sensitive information via a request for a file that contains an MS-DOS device name such as lpt9, which leaks the pathname in an error message, as demonstrated by lpt9.xtp using Nikto...

Apache Struts Cross-site scripting Vulnerability

Cross-site scripting XSS vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message...

Apache Tomcat Leaks Information via Error Message

Apache Tomcat 4.0.3 for Windows allows remote attackers to obtain the web root path via an HTTP request for a resource that does not exist, such as lpt9, which leaks the information in an error message...

GHSA-R6CF-CR44-M8RR Apache Tomcat Leaks Pathname Information via Error Message

Apache Tomcat 4.0.1 allows remote attackers to obtain the web root path via HTTP requests for JSP files preceded by 1 +/, 2 /, 3 /, and 4 %20/, which leaks the pathname in an error message...

Apache Tomcat Leaks Pathname Information via Error Message

Apache Tomcat 4.0.1 allows remote attackers to obtain the web root path via HTTP requests for JSP files preceded by 1 +/, 2 /, 3 /, and 4 %20/, which leaks the pathname in an error message...

GHSA-58HJ-575G-5J25 Apache Tomcat allows webmasters to insert xss into error messages

A cross-site scripting vulnerability in Apache Tomcat 3.2.1 allows a malicious webmaster to embed Javascript in a request for a .JSP file, which causes the Javascript to be inserted into an error message...

Jakarta Apache Tomcat Reveals Physical Paths

Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path...

GHSA-QG4G-6JCQ-RW93 Jakarta Apache Tomcat Reveals Physical Paths

Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path...

Reflected XSS on clients-registrations endpoint

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scripts into the user's browser. Acknowledgement...

Cross-site Scripting (XSS)

Overview whoogle-search is a Self-hosted, ad-free, privacy-respecting metasearch engine Affected versions of this package are vulnerable to Cross-site Scripting XSS via the query string parameter q. In the case where it does not contain the http string, it is used to build the errormessage that i...

CVE-2022-29266

In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information...

CVE-2021-39033

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system...

CVE-2021-39033

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system...