CVE-2023-48238

joaquimserafim/json-web-token is a javascript library use to interact with JSON Web Tokens JWT which are a compact URL-safe means of representing claims to be transferred between two parties. Versions prior to 4.0.0 are vulnerable to a JWT algorithm confusion attack. On line 86 of the 'index.js'...

CVE-2023-48238 JWT Algorithm Confusion in json-web-token library

joaquimserafim/json-web-token is a javascript library use to interact with JSON Web Tokens JWT which are a compact URL-safe means of representing claims to be transferred between two parties. Affected versions of the json-web-token library are vulnerable to a JWT algorithm confusion attack. On li...

CVE-2023-48094

A cross-site scripting XSS vulnerability in CesiumJS v1.111 allows attackers to execute arbitrary code in the context of the victim's browser via sending a crafted payload to /containerfiles/publichtml/doc/index.html. NOTE: the vendor’s position is that Apps/Sandcastle/standalone.html is part of...

CVE-2023-46233

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm...

CVE-2023-46233

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm...

CVE-2023-46233

CVE-2023-46233 affects crypto-js in Crypto-JS prior to 4.2.0. The PBKDF2 implementation uses SHA1 and a fixed iteration count of 1,000, making it far weaker than the 1993 spec and substantially weaker than current standards. Reported impact is high for password protection and signature generation...

CVE-2023-40013

CVE-2023-40013 affects the external-svg-loader / SVG Loader JS library. The vulnerability arises from insufficient input sanitization when injecting fetched SVGs, allowing crafted SVGs to bypass sanitization and trigger Cross-site Scripting (XSS). Affected behavior: external sites that accept use...

Ubuntu: Security Advisory (USN-6227-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

GHSA-PVRW-G6FX-MCX2 is_js vulnerable to Regular Expression Denial of Service

is.js is a general-purpose check library. Versions 0.9.0 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service ReDoS. is.js uses a regex copy-pasted from a gist to validate URLs. Trying to validate a malicious string can cause the regex to...

编号撤回

jQuery is the United States John Resig individual developers of a set of open source , cross-browser JavaScript library . The library simplifies operations between HTML and JavaScript and features modularity, plug-in extensions, and more. This CVE number has been withdrawn...

Cross site scripting

A prototype pollution vulnerability exists in Strikingly CMS which can result in reflected cross-site scripting XSS in affected applications and sites built with Strikingly. The vulnerability exists because of Strikingly JavaScript library parsing the URL fragment allows access to the proto or...

Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution

A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of sandbox protections and achieve code execution. Both the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring...

Critical Flaws in vm2 JavaScript Library Can Lead to Remote Code Execution

A fresh round of patches has been made available for the vm2 JavaScript library to address two critical flaws that could be exploited to break out of sandbox protections and achieve code execution. Both the flaws – CVE-2023-29199 and CVE-2023-30547 – are rated 9.8 out of 10 on the CVSS scoring...

rangy 安全漏洞

rangy is a cross-browser JavaScript selection library. A security vulnerability exists in timdown rangy that stems from the presence of a prototype contamination vulnerability...

[SECURITY] [DLA 3295-1] node-moment security update

----------------------------------------------------------------------- Debian LTS Advisory DLA-3295-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta January 31, 2023 https://wiki.debian.org/LTS -...

[SECURITY] Fedora 35 Update: js-jquery-ui-1.13.2-1.fc35

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library...

Fedora: Security Advisory for js-jquery-ui (FEDORA-2022-7291b78111)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Socket.IO SQL注入漏洞

Socket.IO is a JavaScript library for real-time web applications from Socket.IO. A security vulnerability exists in Socket.IO that stems from incorrect type validation when an attachment parses the Socket.io js library...

The vulnerability of the JavaScript library’s template function for working with arrays like Underscore allows attackers to access confidential data, compromise its integrity, and cause service failures.

The vulnerability of the JavaScript library’s template function for working with arrays like Underscore is related to incorrect code generation practices. Exploiting this vulnerability can allow an attacker to gain access to confidential data, compromise its integrity, and cause service failures...

GHSA-C33W-PM52-MQVF @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details

Description Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library Showdown. Showdown does not have any XSS countermeasures built in, and versions before 4.6.1 of the Dependency-Track frontend did n...