CVE-2024-4367

A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11...

CVE-2024-30054

Microsoft Power BI Client JavaScript SDK Information Disclosure Vulnerability...

CVE-2024-33864

An issue was discovered in linqi before 1.4.0.1 on Windows. There is SSRF via Document template generation; i.e., via remote images in process creation, file inclusion, and PDF document generation via malicious JavaScript...

CVE-2024-33007

PDFViewer is a control delivered as part of SAPUI5 product which shows the PDF content in an embedded mode by default. If a PDF document contains embedded JavaScript or any harmful client-side script, the PDFViewer will execute the JavaScript embedded in the PDF which can cause a potential securi...

CVE-2024-4068

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating...

CVE-2024-34345

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1...

New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation

Google on Monday shipped emergency fixes to address a new zero-day flaw in the Chrome web browser that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-4761, is an out-of-bounds write bug impacting the V8 JavaScript and WebAssembly engine. It wa...

Cross-Site Scripting (XSS)

nocodb is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient user input sanitization within the Formula virtual cell comments functionality, allowing attackers to inject malicious JavaScript code via crafted URLs...

CVE-2024-32733

CVE-2024-32733 affects SAP NetWeaver Application Server ABAP and ABAP Platform. The issue arises from missing input validation and output encoding of untrusted data, enabling an unauthenticated attacker to inject malicious JavaScript into a dynamically crafted web page. Exploitation can lead to t...

Karma 安全漏洞

Karma is a simple tool. Allows execution of JavaScript code in multiple real browsers. A security vulnerability exists in Karma versions prior to 0.17.4.1, which stems from the fact that sending multiple post requests at the same time will bypass the cooldown validation...

Mozilla Firefox ESR < 115.11

The version of Firefox ESR installed on the remote macOS or Mac OS X host is prior to 115.11. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2024-22 advisory. - Memory safety bugs present in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10. Some of these bu...

CVE-2024-34081 MantisBT Cross-site Scripting vulnerability

MantisBT Mantis Bug Tracker is an open source issue tracker. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when resolving or closing issues bugchangestatuspage.php belonging to a project linking...

CVE-2024-29894 Cacti Cross-site Scripting vulnerability when using JavaScript based messaging API

Cacti provides an operational monitoring and fault management framework. Versions of Cacti prior to 1.2.27 contain a residual cross-site scripting vulnerability caused by an incomplete fix for CVE-2023-50250. raisemessagejavascript from lib/functions.php now uses purify.js to fix CVE-2023-50250...

CVE-2024-4068

CVE-2024-4068 affects the NPM package braces. Versions prior to 3.0.3 fail to limit input length, causing a loop in lib/parse.js when given imbalanced braces, leading to memory exhaustion and potential crash of the host process. IBM/DB2-related bulletins confirm the brace-expansion issue as a vul...

CVE-2024-4068

The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating...

Cross-Site Scripting (XSS)

sylius/sylius is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient input sanitization within autocomplete fields and the category tree in the Admin panel, which allows an attacker to insert arbitrary JavaScript into Name fields such as the Taxons, Products, Product...

PT-2024-22571 · Ibm · Ibm Urbancode Deploy

Name of the Vulnerable Software and Affected Versions: IBM UrbanCode Deploy versions 7.0 through 7.0.5.20 IBM UrbanCode Deploy versions 7.1 through 7.1.2.16 IBM UrbanCode Deploy versions 7.2 through 7.2.3.9 IBM UrbanCode Deploy versions 7.3 through 7.3.2.4 IBM UrbanCode Deploy versions 8.0 throug...

RLSA-2024:2779 Important: nodejs:18 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: CONTINUATION frames DoS CVE-2024-27983 nodejs: using the fetch function to retrieve content from an untrusted URL leads to denial of servi...

CVE-2024-34345 @cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1...

CVE-2024-4424

CVE-2024-4424 affects CemiPark software (versions 4.5, 4.7, 5.03 and potentially others) where input data is not properly validated, enabling stored cross-site scripting (XSS). The vulnerability arises from insufficient validation of user-entered data in the access control/data entry pathways, al...