CVE-2023-23623 Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled in Electron

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. A Content-Security-Policy that disables eval, specifically setting a script-src directive and not providing unsafe-eval in that directive, is not respected in renderers that have sandb...

CVE-2023-23623 Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled in Electron

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. A Content-Security-Policy that disables eval, specifically setting a script-src directive and not providing unsafe-eval in that directive, is not respected in renderers that have sandb...

Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled

Impact A Content-Security-Policy that disables eval, specifically setting a script-src directive and not providing unsafe-eval in that directive, is not respected in renderers that have sandbox and contextIsolation disabled. i.e. sandbox: false and contextIsolation: false in the webPreferences...

CVE-2023-41362

MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP...

PT-2023-5287 · Mybb · Mybb

Name of the Vulnerable Software and Affected Versions: MyBB versions prior to 1.8.36 Description: The issue is related to code injection by users with certain high privileges in the MyBB software. Templates in the Admin CP intentionally use eval, and there was some validation of the input to eval...

CVE-2022-43711

Interactive Forms IAF in GX Software XperienCentral versions 10.29.1 until 10.33.0 was vulnerable to cross site scripting attacks XSS because the CSP header uses eval in the script-src...

CVE-2022-43711

Interactive Forms IAF in GX Software XperienCentral versions 10.29.1 until 10.33.0 was vulnerable to cross site scripting attacks XSS because the CSP header uses eval in the script-src...

GX Software XperienCentral 跨站脚本漏洞

GX Software XperienCentral is a CMS from GX Software. A security vulnerability exists in GX Software XperienCentral versions 10.29.1 through 10.33.0, which stems from the use of the eval function in script-src, resulting in a cross-site scripting XSS vulnerability...

Remote Code Execution (RCE)

xalpha is vulnerable to Remote Code Execution RCE. The vulnerability exists in the basicinit function of info.py due to the use of the eval method without user input validation, which allows an attacker to execute malicious code in the system...

org.xwiki.platform:xwiki-platform-skin-ui Eval Injection vulnerability

Impact Improper escaping in the document SkinsCode.XWikiSkinsSheet leads to a possible privilege escalation from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code...

VulnCheck KEV: CVE-2023-38198

acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023...

CVE-2023-36258

An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used...

PT-2023-25499 · Langchain · Langchain

Name of the Vulnerable Software and Affected Versions: LangChain versions prior to 0.0.236 Description: The issue allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used. This is possible via the PALChain in the python exec method. Recommendation...

CVE-2023-36258

An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used...

Command Injection

snowflake-sdk is vulnerable to Command Injection. The vulnerability is due the usage of an unsafe eval on user input, which allows an attacker to create a rouge SSO server which when a user connects to results in code injection...

PT-2023-3706 · Acme.Sh · Acme.Sh

Name of the Vulnerable Software and Affected Versions: acme.sh versions prior to 3.0.6 Description: The issue arises from insufficient input validation in the Eval function of the ACME protocol client Acme.sh, allowing a remote attacker to execute arbitrary code. This has been exploited in the wi...

Faculty Evaluation System 代码问题漏洞

Faculty Evaluation System is a faculty evaluation system by the individual developer Carlo Montero. A security vulnerability exists in version 1.0 of the Sourcecodester Faculty Evaluation System, which originates from an arbitrary code execution vulnerability in ip/eval/ajax.php...

Faculty Evaluation System SQL注入漏洞

Faculty Evaluation System is a faculty evaluation system by the individual developer Carlo Montero. A security vulnerability exists in version v1.0 of the Sourcecodester Faculty Evaluation System, which stems from an SQL injection in /eval/index.php?page=editfaculty&id=...

CVE-2023-30454

An issue was discovered in ebankIT before 7. Document Object Model based XSS exists within the /Security/Transactions/Transactions.aspx endpoint. Users can supply their own JavaScript within the ctl100$ctl00MainContent$TransactionMainContent$accControl$hdnAccountsArray POST parameter that will be...

PT-2023-22701 · Ebankit · Ebankit

Name of the Vulnerable Software and Affected Versions: ebankIT versions prior to 7 Description: An issue exists where Document Object Model based XSS is present within the "/Security/Transactions/Transactions.aspx" endpoint. Users can supply their own JavaScript within the...