9 matches found
Files or Directories Accessible to External Parties
Overview repomix is an A tool to pack repository contents to single file for AI consumption Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the remote repository URL validation in src/core/git/gitRemoteParse.ts and the public website pac...
Unsafe Dependency Resolution
Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the handling of protocol URLs or command-line options. An attacker can execute arbitrary local code by enticing a user to click a...
CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization
Summary The fix for CVE-2025-35939 in craftcms/cms introduced a striptags call in src/web/User.php to sanitize return URLs before they are stored in the session. However, striptags only removes HTML tags angle brackets -- it does not inspect or filter URL schemes. Payloads like...
EUVD-2023-33082
Malicious code in bioql PyPI...
cobalt 跨站脚本漏洞
cobalt is an imput open source media downloader. A cross-site scripting vulnerability exists in cobalt that stems from the fact that a malicious instance of cobalt may provide links using the javascript protocol, which can lead to cross-site scripting XSS when a user attempts to download items fr...
CVE-2023-29540
Using a redirect embedded into sourceMappingUrls could allow for navigation to external protocol links in sandboxed iframes without allow-top-navigation-to-custom-protocols. This vulnerability affects Firefox for Android 112, Firefox 112, and Focus for Android 112...
Code injection
Using a redirect embedded into sourceMappingUrls could allow for navigation to external protocol links in sandboxed iframes without allow-top-navigation-to-custom-protocols. This vulnerability affects Firefox for Android 112, Firefox 112, and Focus for Android 112...
CVE-2023-29540
Using a redirect embedded into sourceMappingUrls could allow for navigation to external protocol links in sandboxed iframes without allow-top-navigation-to-custom-protocols. This vulnerability affects Firefox for Android 112, Firefox 112, and Focus for Android 112...
File: protocol links downloaded to SD card by default — Mozilla
Security researcher Roee Hay reported that a hyperlink using the file: protocol on Firefox for Android could link to a local file in the Firefox profile directory. If a user selected this link on their device, the linked file would be copied to the SD card without prompting. This SD card location...