CVE-2020-28459

CVE-2020-28459 affects all versions of the package markdown-it-decorate. The vulnerability allows an attacker to inject event handlers or use javascript: URLs in links, enabling potential cross-site scripting (XSS). Public documents consistently describe the issue as XSS in markdown-it-decorate w...

deferred-exec 命令注入漏洞

deferred-exec is a tool for running exec commands by Dan Heberden, an individual developer in the United States. A security vulnerability exists in deferred-exec, which stems from a command injection attack injection point in deferred-exec.js...

Duplicate Advisory: Embedded malware in ua-parser-js

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pjwm-rvh2-c87w. This link is maintained to preserve external references. Original Description A vulnerability was found in ua-parser-js 0.7.29/0.8.0/1.0.0. It has been rated as critical. This issue affects the...

CVE-2022-24918

An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all th...

CVE-2021-22811

A CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability exists that could cause script execution when the request of a privileged account accessing the vulnerable web page is intercepted. Affected Products: 1-Phase Uninterruptible Power Supply UP...

Cesanta MJS Denial of Service Vulnerability (CNVD-2022-09557)

Cesanta MJS is an embedded JavaScript engine for C/C from Cesanta Ireland. cesanta MJS denial of service vulnerability can be exploited by attackers to cause a denial of service...

Sandbox Bypass

Overview realms-shim is a shim implementation of the Realm API Proposal. Affected versions of this package are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. PoC javascript import Realm from 'realms-shim' let realm = Realm.makeRootRealm; realm.evaluate function test try tes...

Cross-site scripting (XSS) from image block content in the site frontend

Impact Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters against cross-site scripting XSS attacks. Cross-site scripting XSS is a type of...

CVE-2021-21796

An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause an object containing the path to a document to be destroyed and then later reused, resulting in a use-after-free vulnerability, which can lead to code...

PT-2021-4690 · Foxit · Foxit Pdf Reader +2

Name of the Vulnerable Software and Affected Versions: Foxit PDF Reader versions prior to 11.1 Foxit PDF Editor versions prior to 11.1 Foxit PhantomPDF versions prior to 10.1.6 Description: The issue is related to the mishandling of JavaScript, allowing attackers to trigger a use-after-free and...

PT-2021-4406 · Foxit · Foxit Pdf Reader +2

Name of the Vulnerable Software and Affected Versions: Foxit PDF Reader versions prior to 11.1 Foxit PDF Editor versions prior to 11.1 Foxit PhantomPDF versions prior to 10.1.6 Description: The issue is related to the mishandling of JavaScript, allowing attackers to trigger a use-after-free and...

The vulnerability of JavaScript script handlers in Google Chrome and Microsoft Edge browsers allows attackers to trigger a service failure.

The vulnerability of JavaScript script handlers in Google Chrome and Microsoft Edge browsers is related to operations that go beyond buffer boundaries in memory. Exploiting this vulnerability can allow a malicious actor to cause service failures remotely...

CVE-2021-40711

Adobe Experience Manager version 6.5.9.0 and earlier is affected by a stored XSS vulnerability when creating Content Fragments. An authenticated attacker can send a malformed POST request to achieve arbitrary code execution. Malicious JavaScript may be executed in a victim’s browser when they...

Sandbox Bypass

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the host machine. PoC const VM = require"vm2...

PT-2021-14783 · Nitro · Nitro Pro Pdf

Name of the Vulnerable Software and Affected Versions: Nitro Pro PDF affected versions not specified Description: An exploitable return of stack variable address vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a stack variable to go o...

Nitro Software Nitro Pro 安全漏洞

Nitro Software Nitro Pro is a U.S. Nitro Software PDF document editor software. The software supports PDF document editing, PDF document format conversion and PDF document encryption and other functions. A security vulnerability exists in the JavaScript implementation of Nitro Software Nitro Pro,...

Chrome JS WasmJs::InstallConditionalFeatures Object Corruption

Chrome: JS object corruption in WasmJs::InstallConditionalFeatures VULNERABILITY DETAILS void WasmJs::InstallConditionalFeaturesIsolate isolate, Handle context // Exception handling may have been enabled by an origin trial. If so, make // sure that the WebAssembly.Exception constructor is set up...

Foxit PDF Reader 资源管理错误漏洞

Foxit PDF Reader is a PDF reader. Foxit PDF Reader handles Javascript security vulnerabilities, which can be exploited by attackers to execute arbitrary code...

Foxit Reader 资源管理错误漏洞

Foxit PDF Reader is a PDF reader. Foxit PDF Reader handles Javascript with a security vulnerability that can be exploited by attackers to execute arbitrary code...

nodejs 缓冲区错误漏洞

nodejs is a JavaScript runtime environment based on the ChromeV8 engine by wrapping the Chromev8 engine and the use of event-driven and non-blocking IO applications to make the development of high-performance Javascript background applications possible. A buffer error vulnerability exists in...