5 matches found
Astro 跨站脚本漏洞
Astro is an Astro open source web framework for content-driven websites. A cross-site scripting vulnerability exists in Astro versions prior to 5.15.9, which stems from an image optimization endpoint that unconditionally allows data protocol URLs, potentially leading to cross-site scripting attac...
Valve: code injection, steam chat client
The steam chat client allows oEmbed, apparently based on a whitelist. One of the whitelisted oEmbedis codepen. When a codepen is created, it can be sent as a link to another steam user, and the code inside the codepen will execute within the privileged Steam Chat context. You can send these codep...
Fedora 19 : icedtea-web-1.4.2-0.fc19 (2014-2071)
New in release 1.4.2 2014-02-05 : - Dialogs center on screen before becoming visible - Support for u45 new manifest attributes Application-Name - Custom applet permission policies panel in itweb-settings control panel - Plugin - PR1271: icedtea-web does not handle 'javascript:'-protocol URLs -...
Information disclosure
A component in Microsoft Outlook Express 6 and Windows Mail in Windows Vista does not properly handle certain HTTP headers when processing MHTML protocol URLs, which allows remote attackers to obtain sensitive information from other Internet Explorer domains, aka "URL Parsing Cross Domain...
DEBIAN-CVE-2004-0413
libsvnrasvn in Subversion 1.0.4 trusts the length field of 1 svn://, 2 svn+ssh://, and 3 other svn protocol URL strings, which allows remote attackers to cause a denial of service memory consumption and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer...