Code injection

Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function JsiValueArrayIndex jsiValue.c:366. The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3...

CVE-2019-1010170

Jsish 2.4.77 2.0477 is affected by: Use After Free. The impact is: denial of service. The component is: function JsiObjFree jsiObj.c:230. The attack vector is: executing crafted javascript code. The fixed version is: 2.4.78...

CVE-2019-1010162

jsish 2.4.74 2.0474 is affected by: CWE-476: NULL Pointer Dereference. The impact is: denial of service. The component is: function JsiStrcmpDict jsiChar.c:121. The attack vector is: The victim must execute crafted javascript code. The fixed version is: 2.4.77...

CVE-2019-1010171

Jsish 2.4.83 2.0483 is affected by: Nullpointer dereference. The impact is: denial of service. The component is: function jsiDumpFunctions jsiEval.c:567. The attack vector is: executing crafted javascript code. The fixed version is: 2.4.84...

CVE-2019-1010170

Jsish 2.4.77 2.0477 is affected by: Use After Free. The impact is: denial of service. The component is: function JsiObjFree jsiObj.c:230. The attack vector is: executing crafted javascript code. The fixed version is: 2.4.78...

CVE-2019-1010169

Jsish 2.4.77 2.0477 is affected by: Out-of-bounds Read. The impact is: denial of service. The component is: function lexergetchar jsiLexer.c:9. The attack vector is: executing crafted javascript code. The fixed version is: 2.4.78...

Null pointer dereference

jsish 2.4.74 2.0474 is affected by: CWE-476: NULL Pointer Dereference. The impact is: denial of service. The component is: function JsiStrcmpDict jsiChar.c:121. The attack vector is: The victim must execute crafted javascript code. The fixed version is: 2.4.77...

Design/Logic Flaw

Jsish 2.4.77 2.0477 is affected by: Use After Free. The impact is: denial of service. The component is: function JsiObjFree jsiObj.c:230. The attack vector is: executing crafted javascript code. The fixed version is: 2.4.78...

Design/Logic Flaw

Jsish 2.4.77 2.0477 is affected by: Out-of-bounds Read. The impact is: denial of service. The component is: function lexergetchar jsiLexer.c:9. The attack vector is: executing crafted javascript code. The fixed version is: 2.4.78...

Code injection

Jsish 2.4.83 2.0483 is affected by: Nullpointer dereference. The impact is: denial of service. The component is: function jsiDumpFunctions jsiEval.c:567. The attack vector is: executing crafted javascript code. The fixed version is: 2.4.84...

CVE-2019-1010173

Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function JsiValueArrayIndex jsiValue.c:366. The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3...

CVE-2019-1010171

The CVE-2019-1010171 entry describes a vulnerability in Jsish 2.4.83/2.0483 where a null pointer dereference in the function jsi_DumpFunctions (jsiEval.c:567) can be triggered by executing crafted JavaScript code, leading to denial of service. The fixed version is 2.4.84. References in the provid...

CVE-2019-1010171

Jsish 2.4.83 2.0483 is affected by: Nullpointer dereference. The impact is: denial of service. The component is: function jsiDumpFunctions jsiEval.c:567. The attack vector is: executing crafted javascript code. The fixed version is: 2.4.84...

CVE-2019-1010170

Jsish 2.4.77 2.0477 is affected by: Use After Free. The impact is: denial of service. The component is: function JsiObjFree jsiObj.c:230. The attack vector is: executing crafted javascript code. The fixed version is: 2.4.78...

CVE-2019-1010162

jsish 2.4.74 2.0474 is affected by: CWE-476: NULL Pointer Dereference. The impact is: denial of service. The component is: function JsiStrcmpDict jsiChar.c:121. The attack vector is: The victim must execute crafted javascript code. The fixed version is: 2.4.77...

No man’s land: How a Magecart group is running a web skimming operation from a war zone

Our Threat Intelligence team has been monitoring the activities of a number of threat actors involved in the theft of credit card data. Often referred to under the Magecart moniker, these groups use simple pieces of JavaScript code skimmers typically injected into compromised e-commerce websites ...

CVE-2019-13644

Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tagnumber$ tag summary page. NOTE: It is asserted that an attacker must have the same acce...

Design/Logic Flaw

DISPUTED Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tagnumber$ tag summary page. NOTE: It is asserted that an attacker must have the...

CVE-2019-13647

Firefly III prior to 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript executes when viewing attachments/view/$file_id$, and an attacker must have the same access rights as the user to exploit. Affected software: Firefly III...

Cross-Site Scripting (XSS)

tinymce is vulnerable to Cross-Site Scripting. The library does not properly sanitise the input to the media element, allowing users to paste malicious content to media element's embed tab to execute arbitrary Javascript code...