CVE-2020-26239 Cross-Site Scripting in Scratch browser addons

Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links addon of the Scratch Addons extension used incorrect regular expression which caused the HTML-escape...

CVE-2020-15822

In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped...

CVE-2020-15822

In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped...

CVE-2020-25815

An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34.4. LogEventList::getFiltersDesc is insecurely using message text to build options names for an HTML multi-select field. The relevant code should use escaped instead of text...

Cross-Site Scripting in Wagtail

Impact When a form page type is made available to Wagtail editors through the wagtail.contrib.forms app, and the page template is built using Django's standard form rendering helpers such as form.asp as directed in the documentation, any HTML tags used within a form field's help text will be...

CVE-2020-12737

An issue was discovered in Maxum Rumpus before 8.2.12 on macOS. Authenticated users can perform a path traversal using double escaped characters, enabling read access to arbitrary files on the server...

Path traversal

An issue was discovered in Maxum Rumpus before 8.2.12 on macOS. Authenticated users can perform a path traversal using double escaped characters, enabling read access to arbitrary files on the server...

CVE-2020-12737

An issue was discovered in Maxum Rumpus before 8.2.12 on macOS. Authenticated users can perform a path traversal using double escaped characters, enabling read access to arbitrary files on the server...

CVE-2020-5274

In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the ErrorHandler rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the...

Command injection

rConfig before 3.9.5 allows command injection by sending a crafted GET request to lib/crud/search.crud.php since the nodeId parameter is passed directly to the exec function without being escaped...

UBUNTU-CVE-2019-14863

There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it...

Symfony Cross-site Scripting (XSS) vulnerability

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle...

CVE-2019-10404

CVE-2019-10404 affects Jenkins core prior to 2.196 (and LTS prior to 2.176.3) where the reason text shown in queue item tooltips isn’t escaped, leading to stored XSS when an actor can influence parts of the blocked-queue reason (e.g., label expressions). Affected versions: Jenkins 2.196 and earli...

FreeBSD : Apache -- Multiple vulnerabilities (caf545f2-c0d9-11e9-9051-4c72b94353b5) (Internal Data Buffering)

SO-AND-SO reports : SECURITY: CVE-2019-10081 modhttp2: HTTP/2 very early pushes, for example configured with 'H2PushResource', could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data...

Apache -- Multiple vulnerabilities

The Apache Team reports: SECURITY: CVE-2019-10081 modhttp2: HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data...

augeas: Improper handling of escaped strings leading to memory corruption

A vulnerability was discovered in augeas affecting the handling of escaped strings. An attacker could send crafted strings that would cause the application using augeas to copy past the end of a buffer, leading to a crash or possible code execution...

Cross-Site Scripting (XSS)

antixss is vulnerable to cross-site scripting XSS. The library does not properly evaluate characters after the detection of a Cascading Style Sheets CSS escaped character, which allows remote attackers to conduct cross-site scripting XSS attacks via HTML input...

Cross site scripting

A stored XSS vulnerability was found in SeedDMS 5.1.11 due to poorly escaping the search result in the autocomplete search form placed in the header of out/out.Viewfolder.php...

Seo by Rank Math <= 1.0.26 - XSS Issues

The changelog file states "Added some important security fixes", and various variables can be found being HTML escaped in the code changes...

CVE-2019-10909

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle...