CVE-2024-8384

The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. This could have led to memory corruption. This vulnerability affects Firefox 130, Firefox ESR 128.2, Firefox ESR 115.15, Thunderbird 128.2, and...

CVE-2024-8384

The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were detected at the right point between two passes. This could have led to memory corruption. This vulnerability affects Firefox 130, Firefox ESR 128.2, Firefox ESR 115.15, Thunderbird 128.2, and...

Security Vulnerabilities fixed in Focus for iOS 130 — Mozilla

Websites could utilize Javascript links to spoof URL addresses in the Focus navigation bar...

Security Vulnerabilities fixed in Firefox ESR 115.15 — Mozilla

A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the with environment. Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried t...

Mozilla Firefox ESR < 115.15

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 115.15. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2024-41 advisory. - The JavaScript garbage collector could mis-color cross-compartment objects if OOM conditions were...

firefox -- multiple vulnerabilities

[email protected] reports: This entry contains 8 vulnerabilities: CVE-2024-8381: A potentially exploitable type confusion could be triggered when looking up a property name on an object being used as the with environment. CVE-2024-8382: Internal browser event interfaces were exposed to web...

MongoDB NoSQL Collection Enumeration Via Injection

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "MongoDB NoSQL Collection Enumeration Via Injection", 'Description' = %q This module can exploit NoSQL injections on MongoDB versions less than 2....

Android Browser File Theft

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android Browser File Theft', 'Description' = %q This module steals the cookie, password, and autofill databases from the Browser application on...

Android Open Source Platform (AOSP) Browser UXSS

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Android Open Source Platform AOSP Browser UXSS', 'Description' = %q This module exploits a Universal Cross-Site Scripting UXSS vulnerability...

CVE-2024-6585

CVE-2024-6585 affects Lightdash v0.1024.6, with multiple stored XSS vulnerabilities in the markdown dashboard and dashboard comment functionality. The flaws allow remote authenticated threat actors to store and execute malicious JavaScript in the context of a user session. The PT-2024-37737 advis...

GHSA-WGMF-Q9VR-VWW6 PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

Summary \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. PoC Example target script: loadDIR . '/book.xlsx'; $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html$spreadsheet;...

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

Summary \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. PoC Example target script: loadDIR . '/book.xlsx'; $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html$spreadsheet;...

PT-2024-36772 · B&R · B&R Aprol

Name of the Vulnerable Software and Affected Versions: B&R APROL versions = R 4.4-00P3 Description: A Reflected Cross-Site Scripting XSS issue in the Shift Logbook application may allow a network-based attacker to execute arbitrary JavaScript code in the context of the user's browser session...

CVE-2024-45057

i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. A Reflected Cross-Site Scripting XSS vulnerability was identified in the dynamic generation of HTML fields prior to the 2.9 branch. The file located at...

CVE-2024-45046 PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker...

CVE-2024-45046 PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker...

CVE-2024-45057 Reflected Cross-Site Scripting in i-Educar

i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. A Reflected Cross-Site Scripting XSS vulnerability was identified in the dynamic generation of HTML fields prior to the 2.9 branch. The file located at...

GHSA-FMJ9-77Q8-G6C4 Apollo Query Planner and Apollo Gateway may infinitely loop on sufficiently complex queries

Impact Instances of @apollo/query-planner =2.0.0 and =2.0.0 and 2.8.5 and Apollo Router 1.52.1 are also impacted through their use of @apollo/query-planner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded...

CVE-2024-43788

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s...

CVE-2024-43788 DOM Clobbering Gadget found in Webpack's AutoPublicPathRuntimeModule that leads to Cross-site Scripting (XSS)

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s...