PT-2026-20993

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Versions 1.7.0 and below allow users to upload files without proper content validation or sanitization. By embedding malicious JavaScript within an SVG or other active content formats such as HTML...

EUVD-2022-7493

Malicious code in bioql PyPI...

EUVD-2022-7470

Malicious code in bioql PyPI...

CVE-2024-12870

A stored cross-site scripting XSS vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch cec2080. The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' conten...

Debian dla-3901 : ruby-loofah - security update

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3901 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3901-1 [email protected]...

DSpace Security Vulnerabilities

DSpace is an open source turnkey repository application for the DuraSpace community. A security vulnerability exists in DSpace versions 7.0 through 7.6.1, which stems from the possibility that a user's browser may execute any embedded JavaScript when an HTML, XML, or JavaScript Bitstream is...

DSpace Cross Site Scripting (XSS) via a deposited HTML/XML document

Impact In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This attack may only be initialized by a user who already has Submitter...

[SECURITY] [DLA 3565-1] ruby-loofah security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3565-1 [email protected] https://www.debian.org/lts/security/ Sylvain Beucler September 13, 2023 https://wiki.debian.org/LTS -...

WordPress Companion Sitemap Generator – HTML & XML Plugin < 4.5.3 is vulnerable to Cross Site Scripting (XSS)

Software Companion Sitemap Generator – HTML & XML Type Plugin Vulnerable versions 4.5.3 Fixed in 4.5.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-1780 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 2c5448d43a2a...

SUSE SLES15 / openSUSE 15 Security Update : rubygem-loofah (SUSE-SU-2023:1657-1)

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:1657-1 advisory. - Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofa...

CVE-2022-23515

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah = 2.1.0, 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1...

CVE-2022-23516 Uncontrolled Recursion in Loofah

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah = 2.2.0, 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a...

CVE-2022-23516 Uncontrolled Recursion in Loofah

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah = 2.2.0, 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a...

CVE-2022-23515 Improper neutralization of data URIs may allow XSS in Loofah

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah = 2.1.0, 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1...

CVE-2021-41098

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are...

CVE-2021-37714

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck loop indefinitely until...

USN-4498-1: Loofah vulnerability

It was discovered that Loofah does not properly sanitize JavaScript in sanitized output. An attacker could possibly use this issue to perform XSS attacks. CVE-2019-15587...

[SECURITY] Fedora 30 Update: rubygem-loofah-2.2.3-4.fc30

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments. It's built on top of Nokogiri and libxml2, so it's fast and has a nice API. Loofah excels at HTML sanitization XSS prevention. It includes some nice HTML sanitizers, which are based on HTML5lib's...

Companion Sitemap Generator <= 3.6.6 - CSRF

The Companion Sitemap Generator – HTML & XML WordPress plugin was affected by a CSRF security vulnerability...

[SECURITY] [DSA 4364-1] ruby-loofah security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4364-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff January 08, 2019 https://www.debian.org/security/faq -...