70 matches found
EUVD-2009-1438
Malware in sbrugna...
RHEL 6 : python-lxml (Unpatched Vulnerability)
The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - python-lxml: XSS in lxml.html.clean module in lxml/html/clean.py CVE-2018-19787 - Incomplete blacklist...
Huawei EulerOS: Security Advisory for python-lxml (EulerOS-SA-2021-1352)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Design/Logic Flaw
Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension...
CVE-2015-8560
CVE-2015-8560 describes an incomplete blacklist vulnerability in foomatic-rip (util.c) used by cups-filters 1.0.42 and in foomatic-filters (Foomatic 4.0.x). The issue allows remote attackers to execute arbitrary commands by injecting a ; (semicolon) in a print job. Root cause is failure to fully ...
Design/Logic Flaw
Incomplete blacklist vulnerability in the Configuration utility in F5 BIG-IP LTM, Analytics, APM, ASM, GTM, Link Controller, and PSM 11.x before 11.2.1 HF11, 11.3.x, 11.4.0 before HF8, and 11.4.1 before HF6; BIG-IP AAM 11.4.0 before HF8 and 11.4.1 before HF6; BIG-IP AFM and PEM 11.3.x, 11.4.0...
Input validation
Incomplete blacklist vulnerability in the configisprivate function in configapi.php in MantisBT 1.3.x before 1.3.0 allows remote attackers to obtain sensitive master salt configuration information via a SOAP API request...
CVE-2015-8327
CVE-2015-8327 is an incomplete blacklist vulnerability in util.c of the foomatic-rip component in cups-filters (and in foomatic-filters/Foomatic). It allows remote attackers to execute arbitrary commands via backtick characters in a print job. Affected are cups-filters 1.0.42 before 1.2.0 and Foo...
CVE-2015-5074
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension...
CVE-2015-5074
CVE-2015-5074 affects X2Engine X2CRM 4.2. An incomplete blacklist in FileUploadsFilter.php allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension. This enables arbitrary file uploads and potential code execution on vulnerable installations. The i...
CVE-2015-3245
Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service /etc/passwd corruption via a newline character in the GECOS field...
DEBIAN-CVE-2015-2932
Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an animated href XLink element...
Input validation
Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an application/xml MIME type for a nested SVG with a data: URI...
Cross site scripting
Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting XSS attacks via a vbscript tag in a link...
CVE-2014-1224
CVE-2014-1224 affects rexx Recruitment (R6.1 and R7) with an incomplete blacklist that does not remove the oninput event handler from user input in /reg, enabling remote XSS via the fname field. The root cause is failure to neutralize unknown HTML/JS event handlers in user-supplied data; a proof-...
CVE-2014-2044
CVE-2014-2044 affects ownCloud before 5.0 on Windows. The vulnerability is in the Ajax upload handling (ajax/upload.php) where an incomplete blacklist allows an authenticated user to upload files with arbitrary names and execute code via Windows ADS syntax in the filename (for example .htaccess::...
CVE-2014-5018
CVE-2014-5018 affects LimeSurvey 2.05+ Build 140618, where an incomplete blacklist in the autoEscape function of common_helper.php can allow remote XSS via the GBK charset in the loadname parameter of index.php, related to the survey resume. The connected Red Hat and CVE records confirm the vulne...
CVE-2014-3877
CVE-2014-3877 affects Frams"e; Fast File EXchange (F*EX, fex) prior to fex-20140530. The issue is an incomplete blacklist that allows remote XSS via the addto parameter to fup. Connected advisories confirm multiple vendors/publications (e.g., Debian DLA-68-1) documenting fex exposure and release ...
CVE-2014-3146
CVE-2014-3146 affects the lxml project, specifically the lxml.html.clean module. The vulnerability is an incomplete blacklist in clean_html that allows cross-site scripting (XSS) via control characters in link schemes. Public advisories detail that lxml before 3.3.5 is vulnerable, with a noted wo...
CVE-2014-2913
Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor NRPE 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/checknrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the...