Exposure of Sensitive Information in eventsource

When fetching an url with a link to an external site Redirect, the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be "sanitized."...

GHSA-6H5X-7C5M-7CR7 Exposure of Sensitive Information in eventsource

When fetching an url with a link to an external site Redirect, the users Cookies & Autorisation headers are leaked to the third party application. According to the same-origin-policy, the header should be "sanitized."...

PT-2022-3410 · Unknown +5 · Eventsource +5

Name of the Vulnerable Software and Affected Versions: eventsource/eventsource versions prior to 2.0.2 Description: The issue is related to insufficient protection of sensitive data, allowing a remote attacker to gain unauthorized access to protected information. This is due to the improper remov...

Cross-site Scripting (XSS)

facturascripts is vulnerable to cross-site scripting. An attacker is able to inject malicious code via model fields, allowing stealing of user's cookie, performing HTTP request and getting content of same origin page, and so on...

CVE-2021-43206

A server-generated error message containing sensitive information in Fortinet FortiOS 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.x, 6.0.x and FortiProxy 7.0.0 through 7.0.1, 2.0.x allows malicious webservers to retrieve a web proxy's client username and IP via same origin HTTP requests...

CVE-2021-43206

A server-generated error message containing sensitive information in Fortinet FortiOS 7.0.0 through 7.0.3, 6.4.0 through 6.4.8, 6.2.x, 6.0.x and FortiProxy 7.0.0 through 7.0.1, 2.0.x allows malicious webservers to retrieve a web proxy's client username and IP via same origin HTTP requests...

Cross site scripting

Cross-site scripting - Reflected in Create Subaccount in GitHub repository neorazorx/facturascripts prior to 2022.07. This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc...

FacturaScripts 跨站脚本漏洞

FacturaScripts is an ERP software. cross-site scripting vulnerability exists in versions prior to FacturaScripts 2022.07, which can be exploited by attackers to execute arbitrary javascript code, steal user cookies, execute HTTP requests, obtain "same-origin " page content, etc...

GHSA-4FC7-HC63-7FJG Exposure of repository credentials to external third-party sources in Rancher

Impact This issue only happens when the user configures access credentials to a private repository in Rancher inside Apps & Marketplace Repositories. It affects Rancher versions 2.5.0 up to and including 2.5.11 and from 2.6.0 up to and including 2.6.2. An insufficient check of the same-origin...

Exposure of repository credentials to external third-party sources in Rancher

Impact This issue only happens when the user configures access credentials to a private repository in Rancher inside Apps & Marketplace Repositories. It affects Rancher versions 2.5.0 up to and including 2.5.11 and from 2.6.0 up to and including 2.6.2. An insufficient check of the same-origin...

PT-2022-10549 · Suse · Suse Rancher

Name of the Vulnerable Software and Affected Versions: SUSE Rancher versions prior to 2.5.12 SUSE Rancher versions prior to 2.6.3 Description: The issue allows administrators of third-party repositories to gather credentials sent to their servers due to an incorrect authorization vulnerability...

Mozilla Firefox Security Advisories (MFSA2021-48, MFSA2021-49) - Windows

Mozilla Firefox is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mozilla:firefox";...

Remote Code Execution (RCE)

firefox is vulnerable to remote code execution. The vulnerability exists due to a lack of validation of the boundaries of same-origin policy, allowing an attacker to use XSL transform to serve a user an XSL with maliciously crafted javascript...

CVE-2022-22808

A CWE-352: Cross-Site Request Forgery CSRF exists that could cause a remote attacker to gain unauthorized access to the product when conducting cross-domain attacks based on same-origin policy or cross-site request forgery protections bypass. Affected Product: EcoStruxure EV Charging Expert...

Cross site request forgery (csrf)

A CWE-352: Cross-Site Request Forgery CSRF exists that could cause a remote attacker to gain unauthorized access to the product when conducting cross-domain attacks based on same-origin policy or cross-site request forgery protections bypass. Affected Product: EcoStruxure EV Charging Expert...

CVE-2022-22755

By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript within the bounds of the same-origin policy even after the tab was closed. This vulnerability affects Firefox 97...

Schneider Electric EcoStruxure EV Charging Expert 跨站请求伪造漏洞

Schneider Electric EcoStruxure EV Charging Expert is an electric vehicle charging infrastructure load management, access management, and supervision solution from Schneider Electric France. Schneider Electric EcoStruxure EV Charging Expert suffers from a cross-site request forgery vulnerability...

AlmaLinux 8 : firefox (ALSA-2021:4123)

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2021:4123 advisory. - The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigati...

Rocky Linux 8 : firefox (RLSA-2021:4123)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:4123 advisory. - The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or...

CVE-2022-22808

A CWE-352: Cross-Site Request Forgery CSRF exists that could cause a remote attacker to gain unauthorized access to the product when conducting cross-domain attacks based on same-origin policy or cross-site request forgery protections bypass. Affected Product: EcoStruxure EV Charging Expert...