Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection

Summary Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause...

dnsmasq: dnsmasq: heap buffer overflow in cache via NAME_ESCAPE expansion

A heap buffer overflow was discovered in dnsmasq's DNS cache. When processing DNS responses, dnsmasq expands certain characters into longer escape sequences, but the cache buffer is not sized to hold the expanded result. A specially crafted DNS response can overflow this buffer, potentially...

Traccar 安全漏洞

Traccar is a Java-based website building system provided by the American company Traccar. This software supports over 170 GPS protocols and over 1500 types of GPS tracking devices. Traccar can be used alongside any major SQL database systems. It also offers a user-friendly REST API. There were...

Mantis Bug Tracker 跨站脚本漏洞

Mantis Bug Tracker MantisBT is an open-source bug tracker developed by Mantis Bug Tracker. Version 2.28.0 of Mantis Bug Tracker contains a cross-site scripting vulnerability. This vulnerability arises from improper name escaping when deleting tags, which may lead to cross-site scripting attacks...

NiceGUI 跨站脚本漏洞

NiceGUI is an easy-to-use, Python-based UI framework developed under the open source license. Versions of NiceGUI prior to 3.8.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of eval in multiple client APIs, and incorrect escaping of method names, which...

MiracleLinux 4 : bind-dyndb-ldap-1.1.0-0.9.b1.0.2.AXS4 (AXSA:2012-800:03)

The remote MiracleLinux 4 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2012-800:03 advisory. This package provides an LDAP back-end plug-in for BIND. It features support for dynamic updates and internal caching, to lift the load off of your LDAP serve...

Cross-site Scripting (XSS)

io.vertx:vertx-web is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper escaping of file and directory names in generated HTML when directory listing is enabled, which allows an attacker to craft malicious filenames that execute arbitrary scripts in the browser of users...

EUVD-2022-3686

Malicious code in bioql PyPI...

Apache Log4cxx 安全漏洞

Apache Log4cxx is the United States Apache Apache Foundation of a C + + logging framework patterned on Apache log4j . A cross-site scripting vulnerability exists in Apache Log4cxx versions prior to 1.5.0, which stems from HTMLLayout not properly escaping logger names, and can be exploited by an...

WordPress 跨站脚本漏洞

WordPress is a suite of blogging platforms developed in the PHP language by the WordPress Foundation. The platform supports personal blog sites on servers running PHP and MySQL. A cross-site scripting vulnerability exists in WordPress Core 6.5.2 and earlier versions, which stems from insufficient...

PT-2024-22302 · Jenkins · Jenkins Build Monitor View Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Build Monitor View Plugin versions 1.14-860.vd06ef2568b 3f and earlier Description: The issue results from the failure to escape Build Monitor View names, leading to a stored cross-site scripting XSS vulnerability. This vulnerability...

PT-2023-16270 · WordPress · Nex-Forms

Name of the Vulnerable Software and Affected Versions: NEX-Forms WordPress plugin versions prior to 8.4.4 Description: The issue is related to Stored Cross-Site Scripting, which could be caused by the lack of proper escaping of the form name. This could potentially be exploited by users with acce...

CVE-2023-1403

The Weaver Xtreme Theme for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 5.0.7. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary...

CVE-2023-1404

The Weaver Show Posts Plugin for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 1.6. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitra...

CVE-2023-28669

Jenkins JaCoCo Plugin 3.3.2 and earlier does not escape class and method names shown on the UI, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control input files for the 'Record JaCoCo coverage report' post-build action...

CVE-2022-45401

Jenkins Associated Files Plugin 0.2.1 and earlier does not escape names of associated files, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...

Cross-site Scripting (XSS)

Overview johnpbloch/wordpress-core is a web software you can use to create a website or blog. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to insufficient escaping on the Blog Name value. An attacker can manipulate the output and execute arbitrary JavaScript by...

Apache Hadoop 操作系统命令注入漏洞

Apache Hadoop is an open source distributed system infrastructure from the Apache Foundation. The product is capable of distributed processing of large amounts of data and is highly reliable, scalable, and fault-tolerant. Apache Hadoop has a security vulnerability that stems from its...

CVE-2022-26144

An XSS issue was discovered in MantisBT before 2.25.3. Improper escaping of a Plugin name allows execution of arbitrary code if CSP allows it in managepluginpage.php and managepluginuninstall.php when a crafted plugin is installed...

MantisBT 跨站脚本漏洞

MantisBT is MantisBT Mantisbt team of a Web-based open source defect tracking system . The system provides project management and defect tracking services in the form of Web operations. A security vulnerability exists in MantisBT versions prior to 2.25.3, which stems from improper escaping of...