CVE-2022-27246

An issue was discovered in MISP before 2.4.156. An SVG org logo which may contain JavaScript is not forbidden by default...

CVE-2019-1109

A spoofing vulnerability exists when Microsoft Office Javascript does not check the validity of the web page making a request to Office documents.An attacker who successfully exploited this vulnerability could read or write information in Office documents.The security update addresses the...

Mozilla Thunderbird < 128.10.2

The version of Thunderbird installed on the remote Windows host is prior to 128.10.2. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2025-40 advisory. - An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index...

CVE-2002-2437

The JavaScript implementation in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly restrict the set of values contained in the object returned by the getComputedStyle method, which allows remote attackers to obtain sensitive information about visited w...

CVE-2025-5020

Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client. This vulnerability was fixed in Firefox for iOS 139...

CVE-2025-4919 Out-of-bounds access when optimizing linear sums

An attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability was fixed in Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1, Thunderbird 128.10.2, and Thunderbird 138.0.2...

[SECURITY] Fedora 41 Update: icecat-115.22.0-2.rh1.fc41

GNU IceCat is the GNU version of the Firefox ESR browser. Extensions included to this version of IceCat: LibreJS GNU LibreJS aims to address the JavaScript problem described in the article "The JavaScript Trap" of Richard Stallman. JShelter: Mitigates potential threats from JavaScript, including...

[SECURITY] Fedora 42 Update: icecat-115.22.0-2.rh1.fc42

GNU IceCat is the GNU version of the Firefox ESR browser. Extensions included to this version of IceCat: LibreJS GNU LibreJS aims to address the JavaScript problem described in the article "The JavaScript Trap" of Richard Stallman. JShelter: Mitigates potential threats from JavaScript, including...

CVE-2025-32792 ses's global contour bindings leak into Compartment lexical scope

SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using ses and the Compartment API to evaluate third-party code in an isolated execution environment that hav...

GHSA-4HWX-XCC5-2HFC tarteaucitron.js allows prototype pollution via custom text injection

A vulnerability was identified in tarteaucitron.js, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the site's source code or a CMS plugin to manipulate JavaScript object prototypes, leading to potenti...

Security Vulnerabilities fixed in Firefox 137 — Mozilla

JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. An attacker could read 32 bits of values spilled onto the stack in a JIT compiled function. Leaking of file descriptors from the fork server to web content processes could allow for...

Remote Code Execution (RCE)

github.com/plentico/plenti is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper handling of user-supplied file names in the /postLocal endpoint, allowing arbitrary JavaScript execution...

CVE-2022-39357

Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it do...

CVE-2025-21610

Trix is vulnerable to cross-site scripting (XSS) in versions prior to 2.1.12 when a user pastes a malicious javascript: URL into the link field. An attacker could entice a user to copy&paste such a link, causing arbitrary JavaScript execution in the user’s session. A patch exists in Trix v2.1.12 ...

[SECURITY] Fedora 41 Update: icecat-115.18.0-2.rh2.fc41

GNU IceCat is the GNU version of the Firefox ESR browser. Extensions included to this version of IceCat: LibreJS GNU LibreJS aims to address the JavaScript problem described in the article "The JavaScript Trap" of Richard Stallman. JShelter: Mitigates potential threats from JavaScript, including...

[SECURITY] Fedora 40 Update: icecat-115.18.0-2.rh2.fc40

GNU IceCat is the GNU version of the Firefox ESR browser. Extensions included to this version of IceCat: LibreJS GNU LibreJS aims to address the JavaScript problem described in the article "The JavaScript Trap" of Richard Stallman. JShelter: Mitigates potential threats from JavaScript, including...

Prototype Pollution

Mermaid is vulnerable to prototype pollution.The vulnerability is due to prototype pollution in its bundled version of DOMPurify, which allows attackers to manipulate object properties in JavaScript, potentially causing unintended behavior in applications...

Mozilla: Arbitrary JavaScript execution in PDF.js

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context...

URL Shortify < 1.7.6 - Unauthenticated Stored XSS via referer header

Description The plugin does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link. PoC 1. Add a new shortened link in the interface...

Ubuntu: Security Advisory (USN-6147-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...