4172 matches found
CVE-2023-5654
The React Developer Tools extension registers a message listener with window.addEventListener'message', in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch. The URL is not...
Input validation
The React Developer Tools extension registers a message listener with window.addEventListener'message', in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch. The URL is not...
CVE-2023-5654
The CVE-2023-5654 issue affects the React Developer Tools extension and is caused by a content-script listener registered with window.addEventListener('message', …) that fetches a URL derived from a received message without validating/sanitising it. This allows a malicious page to trigger the vic...
CVE-2023-5654
The React Developer Tools extension registers a message listener with window.addEventListener'message', in a content script that is accessible to any webpage that is active in the browser. Within the listener is code that requests a URL derived from the received message via fetch. The URL is not...
React Developer Tools Security Vulnerability
Facebook React Developer Tools is a JavaScript library for building user interfaces from Facebook Inc. A security vulnerability exists in React Developer Tools version v4.27.8, which stems from an extension that registers a message listener in content scripts, where code within the listener does...
GHSA-WQQ4-5WPV-MX2G Undici's cookie header not cleared on cross-origin redirect in fetch
Impact Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the...
Undici's cookie header not cleared on cross-origin redirect in fetch
...
CVE-2023-45143 Undici's cookie header not cleared on cross-origin redirect in fetch
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in...
CVE-2023-39854
The web interface of ATX Ucrypt through 3.5 allows authenticated users or attackers using default credentials for the admin, master, or user account to include files via a URL in the /hydra/view/getccurl url parameter. There can be resultant SSRF...
RHEL 9 : nodejs (RHSA-2023:5533)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:5533 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The...
CVE-2023-39165
Cross-Site Request Forgery CSRF vulnerability in Fetch Designs Sign-up Sheets plugin = 2.2.8 versions...
CVE-2023-39165
Cross-Site Request Forgery CSRF vulnerability in Fetch Designs Sign-up Sheets plugin = 2.2.8 versions...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in Fetch Designs Sign-up Sheets plugin = 2.2.8 versions...
CVE-2023-39165 WordPress Sign-up Sheets Plugin <= 2.2.8 is vulnerable to Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery CSRF vulnerability in Fetch Designs Sign-up Sheets plugin = 2.2.8 versions...
CVE-2023-39165
CVE-2023-39165 corresponds to a Cross-Site Request Forgery (CSRF) vulnerability in the Fetch Designs Sign-up Sheets WordPress plugin, affecting versions
PT-2023-26819 · Fetch Designs · Fetch Designs Sign-Up Sheets Plugin
Name of the Vulnerable Software and Affected Versions: Fetch Designs Sign-up Sheets plugin versions = 2.2.8 Description: The issue is related to a Cross-Site Request Forgery CSRF vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a w...
User Activity Log Pro < 2.3.4 - IP Spoofing
Description This plugin retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. PoC 1. In User Activity Log Settings, enable the setting "Allow Ip Address of users to log." and save...
User Activity Log Pro < 2.3.4 - Unauthenticated Stored Cross-Site Scripting via User Agent
Description The plugin does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks. 1 Make sure the plugin's Enable User Agent For Log setting is set at /wp-admin/admin.php?page=ualpsettings 2 If you're...
Sev-es / sev-snp vmgexit double fetch vulnerability
...
DEBIAN-CVE-2023-4155
A flaw was found in KVM AMD Secure Encrypted Virtualization SEV in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the VMGEXIT handler recursively. If an attacker manages to call the handler multiple time...