Prototype Pollution

Overview record-like-deep-assign is a Recursively assigns enumerable own properties of the given sources to a target object Affected versions of this package are vulnerable to Prototype Pollution via the main functionality. PoC const deepAssign = require'record-like-deep-assign'; let obj = ;...

Facebook Hermes Input Validation Error Vulnerability

Facebook Hermes is a JavaScript engine from Facebook, Inc. The engine is targeted at React Native applications to improve the performance of mobile client application apps, but is not applicable to server-side infrastructures such as browsers ＆ Node.js. An input validation error vulnerability...

Jira Server and Jira Data Center cross-site scripting vulnerability (CNVD-2021-44762)

Atlassian JIRA Server and Jira Server & Data Center are both products of Atlassian Australia.Atlassian JIRA Server is the server version of a defect tracking management system. The system is mainly used for tracking and managing all kinds of problems and defects in the workplace.Jira Server & Dat...

The vulnerability of the uglify-js library in the Aurora application software involves an uncontrolled resource consumption, allowing attackers to cause service failures.

The vulnerability of the uglify-js library in Aurora application software is related to an uncontrolled resource consumption. Exploiting this vulnerability could allow a malicious actor to deny services through the use of a specially crafted regular expression...

IBM Engineering Test Management Cross-Site Scripting Vulnerability (CNVD-2021-39247)

IBM Engineering Test Management is a collaborative quality management solution that provides end-to-end test planning and test asset management, with broad coverage of all aspects from requirements to defects. A cross-site scripting vulnerability exists in IBM Engineering Test Management version...

GHSA-C94V-8FFF-73PH Command Injection in @theia/messages

In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run...

IBM Content Navigator Cross-Site Scripting Vulnerability (CNVD-2021-32636)

IBM Content Navigator is a Web client from IBM USA. The product supports searching and processing documents stored in content servers from a Web browser. A cross-site scripting vulnerability exists in IBM Content Navigator version 3.0.CD. An attacker can exploit the vulnerability to embed arbitra...

CVE-2021-24205

In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget includes/widgets/icon-box.php accepts a ‘titlesize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modifi...

BaserCMS JavaScript Input Improper Neutralization Vulnerability (CNVD-2021-23789)

BaserCMS is an open source enterprise-level content management system cms. A JavaScript Input Improper Neutralization vulnerability exists in the page editing feature in BaserCMS versions prior to 4.4.5. A remote authenticated attacker can exploit this vulnerability to inject arbitrary scripts...

CVE-2021-29009

SEO Panel 4.8.0 is affected by a cross-site scripting (XSS) vulnerability. The issue arises in archive.php via the type parameter, allowing remote attackers to inject JavaScript. Documented impact includes partial integrity and low confidentiality impact with network attack vector and user intera...

The vulnerability of the JavaScript script handler in Google Chrome’s V8 engine allows attackers to access sensitive data, compromise its integrity, and cause service failures.

The vulnerability of the JavaScript script handler in Google Chrome’s V8 engine is related to type mismatches. Exploiting this vulnerability can allow an attacker to gain access to sensitive data, compromise its integrity, and cause service failures...

Sticky Notes Apps Using JavaScript 1.0 Cross Site Scripting Vulnerability

Exploit Title: Sticky Note Apps using JavaScript | Stored Cross Site Scripting Exploit Author: Richard Jones Vendor Homepage: https://www.sourcecodester.com/javascript/14742/sticky-note-apps-using-javascript-source-code.html Software Link:...

Prototype Pollution

Overview set-deep-prop is a Set the value of a deeply nested object or array Affected versions of this package are vulnerable to Prototype Pollution via the main functionality. PoC const setDeepProp = require'set-deep-prop'; setDeepProp,'proto', 'x', 'polluted'; console.log.a; // polluted Details...

Prototype Pollution

Overview tree-kit is a Tree utilities which provides a full-featured extend and object-cloning facility, and various tools to deal with nested object structures. Affected versions of this package are vulnerable to Prototype Pollution via dotPath.set. PoC: const dotPath = require'tree-kit'...

The vulnerability of the JavaScript script handler in Google Chrome’s V8 browser allows a hacker to execute arbitrary code.

The vulnerability of the JavaScript script handler in Google Chrome’s V8 engine is caused by a buffer overflow in the stack. Exploiting this vulnerability allows an attacker to execute arbitrary code remotely...

Cross-Site Scripting (XSS)

vrana/adminer is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to unsanitized history parameter allowing an attacker to inject malicious javascript code...

Authentication flaw

An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to extract information from the device without authentication by disabling JavaScript and visiting /info.asp...

Microsoft Edge 安全漏洞

Microsoft Edge is a web browser from the American company Microsoft that comes with systems after Windows 10. A security feature bypass vulnerability exists in Microsoft Edge Chromium, which can be exploited by an attacker who can run code by copying and pasting Microsoft Edge Chromium's Javascri...

Prototype Pollution

Overview rfc6902 is a Complete implementation of RFC6902 patch and diff Affected versions of this package are vulnerable to Prototype Pollution. It may allow attackers to inject or modify the methods and properties of the global object constructor. PoC // poc.js var rfc6902 = require"rfc6902" var...

Prototype Pollution

Overview prototyped.js is a Common typescript ready prototypes available in both es5 and es6 Affected versions of this package are vulnerable to Prototype Pollution. PoC const set = require"prototyped.js/dist/object/set".default; console.log"Prototype before set", .isAdmin; set, "proto.isAdmin",...