1360 matches found
Cross-site scripting in jspdf
Overview In jspdf before version 2.0.0 it is possible to inject JavaScript code via the html method. Recommendation Upgrade to version 2.0.0 or later References - CVE - GitHub Advisory...
CVE-2020-7679
creationtimestamp| type| source ---|---|--- 2021-05-17 21:00:52+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-vrr3-5r3v-7xfw...
cookie tossing attack
Overview Users that used fastify-csrf with the "double submit" mechanism using cookies with an application deployed across multiple subdomains, e.g. "heroku"-style platform as a service. Recommendation Upgrade to version 3.1.0 or later References - CVE - GitHub Advisory...
Command Injection
Overview nodemailer before version 6.4.16 is vulnerable to command injection. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails. Recommendation Upgrade to version 6.4.16 or later References - CVE - GitHub Advisory...
Prototype Pollution
Overview "The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition." Recommendation Upgrade to version 1.1.8 or later References - CVE - GitHub Advisory...
Regular Expression Denial of Service
Overview npm-user-validate before 1.0.1 is vulnerable to regular expression denial of service. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters. Recommendation Upgrade to version 1.0.1 or later References - CVE - GitHub Advis...
Prototype pollution in chart.js
Overview In chart.js before version 2.9.4 the options parameter is not properly sanitized when it is processed. When the options are processed, the existing options or the defaults options are deeply merged with provided options. However, during this operation, the keys of the object being set ar...
Cross-Site Scripting
Overview Insufficient validation in cross-origin communication postMessage in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks. Recommendation Upgrade to version 3.9.2 or later References - CVE - GitHub Advisory...
Regular expression denial of Service
Overview codemirror before 5.58.2 is vulnerable to a regular expression denial of service. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex...
Regular Expression Denial of Service
Overview All versions of package dat.gui are vulnerable to Regular Expression Denial of Service ReDoS via specifically crafted rgb and rgba values. Recommendation Avoid using dat.gui as there is no current safe version of this module References - CVE - GitHub Advisory...
Regular Expression Denial of Service in trim
Overview Versions of trim lower than 0.0.3 are vulnerable to Regular Expression Denial of Service ReDoS via trim. Recommendation Upgrade to version 0.0.3 or later References - CVE - GitHub Advisory...
Authorization Bypass
Overview admin/src/containers/InputModalStepperProvider/index.js in strapi before 3.2.5 has unwanted /proxy?url= functionality. Recommendation Upgrade to version 3.2.5 or later References - CVE - GitHub Advisory...
Prototype Pollution
Overview mathjs before version 7.5.1 is vulnerable to Prototype Pollution via the deepExtend function that runs upon configuration updates. Recommendation Upgrade to version 7.5.1 or later References - CVE - GitHub Advisory...
Prototype Pollution
Overview json-pointer before 0.6.1 is vulnerable to prototype pollution. Multiple reference of object using slash is supported. Recommendation Upgrade to version 0.6.1 or later References - CVE - GitHub Advisory...
Cross-Site Scripting
Overview A vulnerability in the HTML editor of Slab Quill allows an attacker to execute arbitrary JavaScript by storing an XSS payload a crafted onloadstart attribute of an IMG element in a text field. No patch exists and no further releases are planned. Recommendation Avoid using quill as there ...
Prototype Pollution
Overview Versions of swiper before 6.5.1 are susceptible to prototype pollution. Recommendation Upgrade to version 6.5.1 or later References - CVE - GitHub Advisory...
OS Command Injection in ng-packagr
Overview ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option. Recommendation Upgrade to version 10.1.1 or later References - CVE - GitHub Advisory...
Cross-site scripting in bootstrap-select
Overview bootstrap-select before 1.13.6 allows Cross-Site Scripting XSS. It does not escape title values in OPTION elements. This may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 1.13.6 or later References - CVE - GitHub Advisory...
Uncontrolled Resource Consumption in json-bigint
Overview Prototype pollution in json-bigint package 1.0.0 may lead to a denial-of-service DoS attack. Recommendation Upgrade to version 1.0.0 or later References - CVE - GitHub Advisory...
Injection in gulp-scss-lint
Overview gulp-scss-lint through 1.0.0 allows execution of arbitrary commands. It is possible to inject arbitrary commands to the "exec" function located in "src/command.js" via the provided options. Recommendation Avoid using gulp-scss-lint as there is no current safe version of this module...