PHP 安全漏洞

PHP is a scripting language in which PHP is executed server-side. A security vulnerability exists in PHP. An attacker who exploits this vulnerability can cause an integer overflow by entering an uncontrolled long string into the ldapescape function, resulting in an out-of-bounds write. The...

PT-2024-8392

Name of the Vulnerable Software and Affected Versions: PHP versions 8.1. before 8.1.31 PHP versions 8.2. before 8.2.26 PHP versions 8.3. before 8.3.14 Description: The issue is related to an integer overflow in the ldap escape function on 32-bit systems when handling uncontrolled long string...

PT-2024-8904

Name of the Vulnerable Software and Affected Versions: PHP versions 8.1. through 8.1.30 PHP versions 8.2. through 8.2.25 PHP versions 8.3. through 8.3.13 Description: The issue is related to the ldap escape function in PHP, which can cause an integer overflow when given uncontrolled long string...

datatables.net: contents of array not escaped by HTML escape entities function

An improper neutralization of input vulnerability was found in datatables.net. If an array is passed to the HTML escape entities function, it does not have its contents escaped, possibly leading to cross site scripting XSS...

datatables.net: contents of array not escaped by HTML escape entities function

An improper neutralization of input vulnerability was found in datatables.net. If an array is passed to the HTML escape entities function, it does not have its contents escaped, possibly leading to cross site scripting XSS...

datatables.net: contents of array not escaped by HTML escape entities function

An improper neutralization of input vulnerability was found in datatables.net. If an array is passed to the HTML escape entities function, it does not have its contents escaped, possibly leading to cross site scripting XSS...

GHSA-27QR-636M-WXG2 codeigniter/framework SQL injection in ODBC database driver

CodeIgniter 3.1.0 addressed a critical security issue within the ODBC database driver. This update includes crucial fixes to mitigate a SQL injection vulnerability, preventing potential exploitation by attackers. It is noteworthy that these fixes render the query builder and escape functions...

PT-2024-22274 · Grav · Grav

Name of the Vulnerable Software and Affected Versions: Grav versions prior to 1.7.45 Description: The issue arises from unrestricted access to the twig extension class from the grav context, allowing an attacker to redefine the escape function and execute arbitrary commands. This can be achieved ...

GHSA-8C6X-G4FW-8RF4 Whatsapp-Chat-Exporter has Cross-Site Scripting vulnerability in HTML output of chats.

Impact A Cross-Site Scripting XSS vulnerability was found in the HTML output of chats. XSS is intended to be mitigated by Jinja's escape function. However, autoescape=True was missing when setting the environment. Although the actual impact is low, considering the HTML file is being viewed offlin...

SUSE CVE-2016-7167

Multiple integer overflows in the 1 curlescape, 2 curleasyescape, 3 curlunescape, and 4 curleasyunescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow...

SUSE CVE-2017-15612

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline such as in java\nscript: or a crafted email address, related to the escape and autolink functions...

Code injection

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service ReDoS via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function...

CVE-2022-25918

CVE-2022-25918 affects the npm package shescape (versions 1.5.10 and earlier than 1.6.1). The vulnerability is a Regular Expression Denial of Service (ReDoS) in the escape function (index.js) caused by an insecure regex in escapeArgBash. Exploitation can cause high CPU usage or denial of service ...

CVE-2022-25918 Regular Expression Denial of Service (ReDoS)

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service ReDoS via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function...

CVE-2022-25918 Regular Expression Denial of Service (ReDoS)

The package shescape from 1.5.10 and before 1.6.1 are vulnerable to Regular Expression Denial of Service ReDoS via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function...

Regular Expression Denial of Service (ReDoS)

Overview shescape is a simple shell escape library Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function. Poc js import escape from 'shescape'; const...

PT-2022-17604 · Shescape · Shescape

Name of the Vulnerable Software and Affected Versions: shescape versions 1.5.10 through 1.6.1 Description: The issue is related to a Regular Expression Denial of Service ReDoS vulnerability via the escape function in index.js, due to the usage of insecure regex in the escapeArgBash function. This...

PT-2022-20592 · Microsoft +1 · Powershell +2

Name of the Vulnerable Software and Affected Versions: Shescape versions prior to 1.5.8 Description: The issue impacts users of the escape or escapeAll functions with the interpolation option set to true. If an attacker can include whitespace in their input, they can invoke shell-specific behavio...

CVE-2017-15612

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline such as in java\nscript: or a crafted email address, related to the escape and autolink functions...

Cross-site Scripting in Mistune

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline such as in java\nscript: or a crafted email address, related to the escape and autolink functions...