CVE-2022-1802

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR 91.9.1, Firefox 100.0.2, Firefox for Android 100.3.0,...

CVE-2022-1802

If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. This vulnerability affects Firefox ESR 91.9.1, Firefox 100.0.2, Firefox for Android 100.3.0,...

studygolang 跨站脚本漏洞

studygolang is a Go language Chinese network studygolang open source . studygolang has a security vulnerability , the vulnerability stems from an unknown part of the file static/js/topics.js , the operation of the parameter contentHtml leads to cross-site scripting...

Prototype Pollution

Overview safe-eval is a Safer version of eval Affected versions of this package are vulnerable to Prototype Pollution which allows an attacker to add or modify properties of the Object.prototype.Consolidate when using the function safeEval. This is because the function uses vm variable, leading a...

PT-2022-25800 · Ibm · Ibm Cloud Transformation Advisor

Name of the Vulnerable Software and Affected Versions: IBM Cloud Transformation Advisor versions 2.0.1 through 3.3.1 Description: This issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within ...

PT-2022-22124 · Ibm · Ibm Cics Tx

Name of the Vulnerable Software and Affected Versions: IBM CICS TX version 11.1 Description: The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session. Recommendations: Fo...

nodejs: HTTP Request Smuggling due to incorrect parsing of header fields

A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a...

nodejs: weak randomness in WebCrypto keygen

A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen in src/crypto/cryptokeygen.cc. Node.js made calls to EntropySource in SecretKeyGenTraits::DoKeyGen. However, it does not check the return value and assumes the EntropySource...

Zimbra Collaboration Suite phone cross-site scripting vulnerability

Synacor Zimbra Collaboration Suite ZCS is an open source collaboration suite from Synacor, USA. The product includes WebMail, Calendar, Address Book and more. A cross-site scripting vulnerability exists in Zimbra Collaboration Suite version 8.8.15, which stems from the lack of effective filtering...

PT-2022-24541 · Ibm · Ibm Robotic Process Automation

Name of the Vulnerable Software and Affected Versions: IBM Robotic Process Automation versions 21.0.1 through 21.0.3 for Cloud Pak Description: The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials...

PCI DSS Tackles Client-Side Attacks: Everything You Need to Know About Complying With PCI 6.4.3

Client-side attacks often referred to as Magecart attacks have been around since as early as 2015 and dramatically gained in popularity when the global pandemic accelerated digital transformation, by driving more people and data online. Now the fight against these attacks is stepping up a notch...

CVE-2022-36097 XWiki Platform Attachment UI vulnerable to cross-site scripting in the move attachment form

XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the...

CVE-2022-36096 XWiki Platform vulnerable to Cross-site Scripting in the deleted attachments list

The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed by anyone viewing the deleted attachments index wi...

CVE-2021-41781

Foxit PDF Reader before 11.1 and PDF Editor before 11.1, and PhantomPDF before 10.1.6, allow attackers to trigger a use-after-free and execute arbitrary code because JavaScript is mishandled...

PT-2022-23132 · Unknown · Mdx-Mermaid

Name of the Vulnerable Software and Affected Versions: mdx-mermaid versions less than 1.3.0 mdx-mermaid versions 2.0.0-rc1 Description: The issue concerns an arbitrary JavaScript injection potential in mdx-mermaid. This can be exploited by modifying mermaid code blocks with arbitrary code, which...

CVE-2022-38189 There is a stored cross-site scripting (XSS) vulnerability in ArcGIS API for JavaScript.

A stored Cross Site Scripting XSS vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser...

CVE-2020-28459

CVE-2020-28459 affects all versions of the package markdown-it-decorate. The vulnerability allows an attacker to inject event handlers or use javascript: URLs in links, enabling potential cross-site scripting (XSS). Public documents consistently describe the issue as XSS in markdown-it-decorate w...

deferred-exec 命令注入漏洞

deferred-exec is a tool for running exec commands by Dan Heberden, an individual developer in the United States. A security vulnerability exists in deferred-exec, which stems from a command injection attack injection point in deferred-exec.js...

Duplicate Advisory: Embedded malware in ua-parser-js

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pjwm-rvh2-c87w. This link is maintained to preserve external references. Original Description A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the...

CVE-2022-24918

An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all th...