Microsoft Xamarin.Forms Spoofing Vulnerability

Microsoft Windows is a series of operating systems released by the American company Microsoft. A spoofing vulnerability exists in Microsoft Xamarin.Forms. The vulnerability stems from a default setting in Android WebView versions prior to 83.0.4103.106. An attacker can exploit the vulnerability t...

CVE-2020-9860

A custom URL scheme handling issue was addressed with improved input validation. This issue is fixed in Safari 13.0.5. Processing a maliciously crafted URL may lead to arbitrary javascript code execution...

CVE-2020-9860

A custom URL scheme handling issue was addressed with improved input validation. This issue is fixed in Safari 13.0.5. Processing a maliciously crafted URL may lead to arbitrary javascript code execution...

Input validation

A custom URL scheme handling issue was addressed with improved input validation. This issue is fixed in Safari 13.0.5. Processing a maliciously crafted URL may lead to arbitrary javascript code execution...

CVE-2020-9860

A custom URL scheme handling issue was addressed with improved input validation. This issue is fixed in Safari 13.0.5. Processing a maliciously crafted URL may lead to arbitrary javascript code execution...

APSB20-60 Security updates available for Marketo

Marketo has released an update for the Marketo Sales Insight package for Salesforce. This update addresses an important vulnerability. Successful exploitation could lead to arbitrary JavaScript execution in the browser...

CS Money: Blind XSS on image upload

Summary: - The CSRF vulnerability make a request for support.cs.money/uploadfile; This uploadfile does not have csrf token/ origin/ reference verification! - The XSS allows to execute JS. The payload of the XSS stay in the param 'filename' of the CSRF request. Steps To Reproduce: XSS - use a prox...

Oracle Linux 7 : thunderbird (ELSA-2020-4163)

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2020-4163 advisory. 78.3.1-1.0.1 - Replaced thunderbird-redhat-default-prefs.js with thunderbird-oracle-default-prefs.js 78.3.1-1 - Update to 78.3.1 build1 78.3.0-3 - Upda...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS. When an application is running in development mode, and attacker can send or embed in another page a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local...

Oracle Linux 8 : thunderbird (ELSA-2020-4155)

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2020-4155 advisory. 78.3.1-1.0.1 - Update to 68.12.0 build1 78.3.1-1 - Update to 78.3.1 build1 78.3.0-3 - Update to 78.3.0 build1 - Remove librdp.so as long as we cannot...

CVE-2020-15676

Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element. This vulnerability affects Firefox 81, Thunderbird 78.3, and Firefox ESR 78.3...

Design/Logic Flaw

Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element. This vulnerability affects Firefox 81, Thunderbird 78.3, and Firefox ESR 78.3...

CVE-2020-25830

An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bugactiongrouppage.php...

CVE-2020-25830

An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bugactiongrouppage.php...

Design/Logic Flaw

An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of...

CVE-2020-25830

An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bugactiongrouppage.php...

Design/Logic Flaw

An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bugactiongrouppage.php...

CVE-2020-25830

An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bugactiongrouppage.php...

CVE-2020-25288

CVE-2020-25288 affects MantisBT before 2.24.3. When editing an issue in a project with a Custom Field using a crafted Regular Expression, improper escaping of the input’s pattern attribute can cause HTML injection and, if CSP allows, execution of arbitrary JavaScript. Impact is HTML injection/XSS...

CVE-2020-25288

An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of...