EUVD-2016-6113

Malware in sbrugna...

PT-2025-35802

Name of the Vulnerable Software and Affected Versions: Figma Desktop versions 125.6.5 Description: Figma Desktop for Windows version 125.6.5 contains a command injection issue in the local plugin loader. An attacker can execute arbitrary OS commands by setting a crafted build field in the plugin'...

CVE-2017-9441

Multiple cross-site scripting XSS vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the 1 title or 2 version or 3 authorname parameter in manifest.json. This issue exists ...

CVE-2024-30252

Livemarks is a browser extension that provides RSS feed bookmark folders. Versions of Livemarks prior to 3.7 are vulnerable to cross-site request forgery. A malicious website may be able to coerce the extension to send an authenticated GET request to an arbitrary URL. An authenticated request is ...

CVE-2024-30252

Livemarks up to version 3.7 is affected by a CSRF vulnerability where a malicious site can coerce the extension to perform an authenticated GET to an arbitrary URL via subscribe.js; this is possible because subscribe.html is a web_accessible_resource. The issue can compromise data integrity on pr...

CVE-2024-30252 GitHub Security Lab (GHSL) Vulnerability Report, livemarks: `GHSL-2024-015`

Livemarks is a browser extension that provides RSS feed bookmark folders. Versions of Livemarks prior to 3.7 are vulnerable to cross-site request forgery. A malicious website may be able to coerce the extension to send an authenticated GET request to an arbitrary URL. An authenticated request is ...

Malicious Firefox Add-ons Block Browser From Downloading Security Updates

Mozilla on Monday disclosed it blocked two malicious Firefox add-ons installed by 455,000 users that were found misusing the Proxy API to impede downloading updates to the browser. The two extensions in question, named Bypass and Bypass XM, "interfered with Firefox in a way that prevented users w...

Kicking the Rims – A Guide for Securely Writing and Auditing Chrome Extensions

A Thin Layer of Chrome Extension Security Prior-Art Chrome extension security and methodologies for auditing Chrome extensions for vulnerabilities appears to be a topic with shockingly little prior art. Especially when compared to other platforms such as Electron, which have had extension researc...

Kicking the Rims – A Guide for Securely Writing and Auditing Chrome Extensions

Table of Contents A Thin Layer of Chrome Extension Security Prior-Art Isolated But Talkative Worlds A Quick Disclaimer Home is Where the manifest.json Is - The Basic Extension Layout The Extension Architecture, Namespace Isolation and the DOM The Same Origin Policy SOP in the Chrome Extension Wor...

ZenMate VPN Browser Extension Deanonymization & Hijacking Vulnerability (3.5 Million Affected Users)

Summary ZenMate, a VPN provider with over 43 million users, offers multiple browser extensions to use their VPN with. As of the time of this writing the browser extensions have a combined total of 3.5 million users. The ZenMate VPN clients for both Chrome & Firefox trust the previously expired...

Cross site scripting

DISPUTED Multiple cross-site scripting XSS vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the 1 title or 2 version or 3 authorname parameter in manifest.json. This issu...

CVE-2017-9441

Multiple cross-site scripting XSS vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the 1 title or 2 version or 3 authorname parameter in manifest.json. This issue exists ...

Sql injection

DISPUTED BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and...

CVE-2017-9443

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and...

CVE-2017-9443

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and...

CVE-2017-9441

Multiple cross-site scripting XSS vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the 1 title or 2 version or 3 authorname parameter in manifest.json. This issue exists ...

CVE-2017-9443

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and...

CVE-2016-5160

The AllowCrossRendererResourceLoad function in extensions/browser/urlrequestutil.cc in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly use an extension's manifest.json webaccessibleresources field for restrictions on IFRAME elements, which...

CVE-2016-5160

Removed by vendor...