CVE-2024-31199

A “CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'” allows malicious users to permanently inject arbitrary Javascript code...

CVE-2024-41818

A regular expression denial of service ReDoS flaw was found in fast-xml-parser in the currency.js script. By sending a specially crafted regex input, a remote attacker could cause a denial of service condition...

PT-2024-29654 · Unknown · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 15.10.8 XWiki Platform versions prior to 16.3.0RC1 Description: The issue allows an attacker to execute JavaScript snippets on the side of another user, compromising the confidentiality, integrity, and...

Garbage collection and closures

Me, Surma, and Jason were hacking on a thing, and discovered that garbage collection within a function doesn't quite work how we expected. function demo const bigArrayBuffer = new ArrayBuffer100000000; const id = setTimeout = console.logbigArrayBuffer.byteLength; , 1000; return = clearTimeoutid;...

GHSA-CF56-G6W6-PQQ2 Twisted vulnerable to HTML injection in HTTP redirect body

Summary The twisted.web.util.redirectTo function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting XSS in the redirect response HTML body. Details Twisted’s redirectTo functi...

CVE-2024-41818 ReDOS at currency parsing fast-xml-parser

fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1...

CVE-2024-41818 ReDOS at currency parsing fast-xml-parser

fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1...

CVE-2024-32671

Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.This issue affects Escargot: 4.0.0...

CVE-2024-32671

Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.This issue affects Escargot: 4.0.0...

CVE-2024-32671

Heap-based Buffer Overflow vulnerability in Samsung Open Source Escargot JavaScript engine allows Overflow Buffers.This issue affects Escargot: 4.0.0...

CrowdStrike Warns of New Phishing Scam Targeting German Customers

CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign. The cybersecurity company said it identified what it described as an unattributed...

CVE-2024-41705

A stored XSS issue was discovered in Archer Platform 6.8 before 2024.06. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data store through their browsers, the...

CVE-2024-41706

A stored XSS issue was discovered in Archer Platform 6 before version 2024.06. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data store through their browsers...

CVE-2024-41706

CVE-2024-41706 describes a stored XSS flaw in Archer Platform versions prior to 2024.06. A remote authenticated Archer user could store malicious HTML/JavaScript in a trusted application data store, which is then executed by victim users’ browsers in the vulnerable app context. Public details spe...

ROS-20240725-03

A vulnerability in Google Chrome browser's JavaScript script handler V8 is related to reading outside the boundaries of memory. Exploitation of the vulnerability could allow an attacker, acting remotely, to perform access outside the outside of the allocated memory space using a specially crafted...

BIT-SYNCTHING-2022-46165 Cross-site Scripting (XSS) in Web GUI in syncthing

Syncthing is an open source, continuous file synchronization program. In versions prior to 1.23.5 a compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared folder settings and...

CVE-2024-41662 VNote vulnerable to Markdown XSS, which leads to RCE

VNote is a note-taking platform. A Cross-Site Scripting XSS vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code through which...

CVE-2024-41662

CVE-2024-41662 affects the VNote note-taking platform, specifically versions 3.18.1 and prior, where the Markdown rendering component is vulnerable to Cross-Site Scripting (XSS) that can lead to arbitrary JavaScript execution and potential remote code execution. The issue is triggered via Markdow...

Malware Campaign Lures Users With Fake W2 Form

The following analysts contributed to the research: Evan McCann, Matt Smith, Ipek Solak, Jake McMahon Rapid7 has recently observed an campaign targeting users searching for W2 forms using the Microsoft search engine Bing. Users are subsequently directed to a fake IRS website, enticing them to...

Cross Site Scripting (XSS)

Vue is vulnerable to Cross Site Scripting XSS. The vulnerability is due to manipulating the prototype chain of specific properties such as Object.prototype.staticClass or Object.prototype.staticStyle, which allows an attacker to execute arbitrary JavaScript code via prototype pollution...