GHSA-HPV5-V8G5-C864 Cross-site Scripting in Mistune

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline such as in java\nscript: or a crafted email address, related to the escape and autolink functions...

CVE-2022-24725

Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the escape or escapeAll functions from the shescape API with the interpolation option set to true. Other tested shells, Dash and Zs...

Directory traversal

Shescape is a shell escape package for JavaScript. An issue in versions 1.4.0 to 1.5.1 allows for exposure of the home directory on Unix systems when using Bash with the escape or escapeAll functions from the shescape API with the interpolation option set to true. Other tested shells, Dash and Zs...

Weblate: Stored XSS @ /engage/<project_slug>

Description The vulnerability concerns a Stored XSS, while it is currently to the best of my knowledge not exploitable due to limitations stated below. I thought that the issue is worth reporting anyway. Steps to reproduce 1. Change a project's name or create one to the following payload:...

ALPINE-CVE-2016-8622

The URL percent-encoding decode function in libcurl before 7.51.0 is called curleasyunescape. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get...

CVE-2016-10537

backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the ModelEscape function of backbone 0.3.3 and earlier, if a user is...

Cross site scripting

backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the ModelEscape function of backbone 0.3.3 and earlier, if a user is...

CVE-2016-10537

backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the ModelEscape function of backbone 0.3.3 and earlier, if a user is...

PYSEC-2017-80

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline such as in java\nscript: or a crafted email address, related to the escape and autolink functions...

Design/Logic Flaw

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline such as in java\nscript: or a crafted email address, related to the escape and autolink functions...

CVE-2017-15612

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline such as in java\nscript: or a crafted email address, related to the escape and autolink functions...

CVE-2017-15612

mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline such as in java\nscript: or a crafted email address, related to the escape and autolink functions...

CVE-2017-15612

The CVE relates to Mistune Python package: mistune.py in Mistune 0.7.4 contains an XSS vulnerability triggered by an unexpected newline (e.g., java\nscript:) or crafted email addresses, tied to escape and autolink handling. Connected sources document this vulnerability and show mitigations: openS...

NVIDIA Windows GPU Display Driver Buffer Overflow Vulnerability

NVIDIA Windows GPU Display Driver is a set of graphics processor GPU graphics card drivers for Windows from NVIDIA. A security vulnerability in DxgkDdiEscape in nvlddmkm.sys of the NVIDIA Windows GPU Display Driver can be exploited by an attacker to cause a denial of service or gain elevated...

Shopify: [livechat.shopify.com] Cookie bomb at customer chats

When we visit the https://livechat.shopify.com/customer/chats/new page the ref and ssid URL parameters are used to set cookie values the way as follows: var getURLParameter = functionname return decodeURIComponentnew RegExp'?|&' + name + '=' + '^&;+?&||;|$'.execlocation.search||,""1.replace/+/g,...

Mozilla Firefox JIT escape Function Memory Corruption - Ver2 (CVE-2009-2477)

Mozilla Firefox is a web browser developed by Mozilla Foundation. The browser is capable of interpreting and rendering many types of content published on the Internet, including various versions of HTML, XML, XUL, JavaScript, and various graphic formats, and so on. The browser runs on Windows,...

Mozilla Firefox JIT escape Function Memory Corruption - Ver2 (CVE-2009-2477)

Mozilla Firefox is a web browser developed by Mozilla Foundation. The browser is capable of interpreting and rendering many types of content published on the Internet, including various versions of HTML, XML, XUL, JavaScript, and various graphic formats, and so on. The browser runs on Windows,...

phpdisk V7 sql盲注一枚

简要描述： 又到周末。 详细说明： 刚从官网上面下载下来的。 plugins\phpdiskclient\clientsub.php 我看了下这目录下的其他几个文件 在iconv后都调用了escape函数来转义 但是这个没有。 造就了注入。 $agent = $SERVER'HTTPUSERAGENT'; if$agent!='phpdisk-client' exit'PHPDisk Access Deny Invalid Entry!'; $uinfo = trimgpc'uinfo','P',''; parsestrpdencodebase64decode$uinfo,'DECODE...

PYSEC-2010-1

Mako before 0.3.4 relies on the cgi.escape function in the Python standard library for cross-site scripting XSS protection, which makes it easier for remote attackers to conduct XSS attacks via vectors involving single-quote characters and a JavaScript onLoad event handler for a BODY element...

VulnCheck KEV: CVE-2009-2477

js/src/jstracer.cpp in the Just-in-time JIT JavaScript compiler aka TraceMonkey in Mozilla Firefox 3.5 before 3.5.1 allows remote attackers to execute arbitrary code via certain use of the escape function that triggers access to uninitialized memory locations, as originally demonstrated by...