CVE-2024-12641

The CVE-2024-12641 entry describes TenderDocTransfer by Chunghwa Telecom as vulnerable to Reflected Cross-site Scripting due to missing CSRF protection on API endpoints. Unauthenticated remote attackers could use specific APIs via phishing to inject and execute arbitrary JavaScript in a user’s br...

CVE-2024-12641 Chunghwa Telecom TenderDocTransfer - Reflected Cross-site Scripting to RCE

TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use...

SUSE-SU-2024:4286-1 Security update for nodejs20

This update for nodejs20 fixes the following issues: - CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Updated to 20.18.1: Experimental Network Inspection Support in Node.js Exposes X509VFLAGPARTIALCHAIN to tls.createSecureContext New...

CVE-2022-25229

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Servers' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the 'webpage' to use 'NodeJs' features, an attacker can leverage this to run OS commands...