Algernon: Single-file mode unconditionally enables debug mode

Summary When Algernon is invoked with a single file path instead of a directory — the documented "quick demo" workflow algernon foo.lua, algernon page.po2, algernon index.html, algernon mywebsite.alg — singleFileMode is set to true and debugMode is forcibly enabled with no opt-out: go //...

SUSE CVE-2008-4066

Mozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows remote attackers to bypass cross-site scripting XSS protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a "jav&56325ascript" sequence, a...

Mageia: Security Advisory (MGASA-2015-0240)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2020-26239

Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links addon of the Scratch Addons extension used incorrect regular expression which caused the HTML-escape...

CVE-2020-26239 Cross-Site Scripting in Scratch browser addons

Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links addon of the Scratch Addons extension used incorrect regular expression which caused the HTML-escape...

FreeBSD : Apache -- Multiple vulnerabilities (caf545f2-c0d9-11e9-9051-4c72b94353b5) (Internal Data Buffering)

SO-AND-SO reports : SECURITY: CVE-2019-10081 modhttp2: HTTP/2 very early pushes, for example configured with 'H2PushResource', could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data...

Apache -- Multiple vulnerabilities

The Apache Team reports: SECURITY: CVE-2019-10081 modhttp2: HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data...

Seo by Rank Math <= 1.0.26 - XSS Issues

The changelog file states "Added some important security fixes", and various variables can be found being HTML escaped in the code changes...

CVE-2018-8046

The getTip method of Action Columns of Sencha Ext JS 4 to 6 before 6.6.0 is vulnerable to XSS attacks, even when passed HTML-escaped data. This framework brings no built-in XSS protection, so the developer has to ensure that data is correctly sanitized. However, the getTip method of Action Column...

CVE-2018-8046

The getTip method of Action Columns of Sencha Ext JS 4 to 6 before 6.6.0 is vulnerable to XSS attacks, even when passed HTML-escaped data. This framework brings no built-in XSS protection, so the developer has to ensure that data is correctly sanitized. However, the getTip method of Action Column...

extjs getTip() Cross Site Scripting Vulnerability

Exploit for jsp platform in category web applications A XSS vulnerability exists in the getTip method of Action Columns. The Ext JS framework brings no built-in XSS protection, meaning that developers are responsible for sanitizing their output. However. the method above takes HTML-escaped data a...

FreeBSD : mailman -- hardening against malicious listowners injecting evil HTML scripts (739948e3-78bf-11e8-b23c-080027ac955c)

Mark Sapiro reports : Existing protections against malicious listowners injecting evil scripts into listinfo pages have had a few more checks added. A few more error messages have had their values HTML escaped. The hash generated when SUBSCRIBEFORMSECRET is set could have been the same as one...

Cross-site Scripting (XSS)

jquery-colorbox is vulnerable to cross-site scripting XSS attacks. These attacks are possible when an HTML escaped user input is added to the title attribute of a colorbox. The injected code is executed when the page is rendered. The maintainers say this is expected behavior and will not fix this...

FreeBSD : rabbitmq -- Security issues in management plugin (8469d41c-a960-11e4-b18e-bcaec55be5e5)

The RabbitMQ project reports : Some user-controllable content was not properly HTML-escaped before being presented to a user in the management web UI : - When a user unqueued a message from the management UI, message details header names, arguments, etc. were displayed unescaped. An attacker coul...

Oracle Linux 4 : php (ELSA-2008-0545)

From Red Hat Security Advisory 2008:0545 : Updated php packages that fix several security issues and a bug are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting...

Cross site scripting

Mozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows remote attackers to bypass cross-site scripting XSS protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a "jav&56325ascript" sequence, a...

Mozilla low surrogates stripped from JavaScript before execution

Mozilla Firefox 2.0.0.14, and other versions before 2.0.0.17, allows remote attackers to bypass cross-site scripting XSS protection mechanisms and conduct XSS attacks via HTML-escaped low surrogate characters that are ignored by the HTML parser, as demonstrated by a "jav&56325ascript" sequence, a...

Mozilla Foundation Security Advisory 2008-30

Mozilla Foundation Security Advisory 2008-30 Title: File location URL in directory listings not escaped properly Impact: Low Announced: July 1, 2008 Reporter: Masahiro Yamada Products: Firefox, SeaMonkey Fixed in: Firefox 2.0.0.15 SeaMonkey 1.1.10 Description Mozilla contributor Masahiro Yamada...

SeaMonkey < 1.1.10 Multiple Vulnerabilities

The installed version of SeaMonkey is affected by various security issues : - A stability problem that could result in a crash during JavaScript garbage collection MFSA 2008-20. - Several stability bugs leading to crashes which, in some cases, show traces of memory corruption MFSA 2008-21. - A...

Project name that contains double-quote is not properly escaped on Issue Navigator page

If a project has a double-quote in its name, it's not xml-escaped when used in "title" attribute. For example, if we have a project named 14" monitors, the html will look like: 14" monitors This causes JIRA Client to hiccup on this page and lose a lot of functionality. On web browser, the title i...