Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS. When an application is running in development mode, and attacker can send or embed in another page a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local...

CVE-2020-15992

Insufficient policy enforcement in networking in Google Chrome prior to 86.0.4240.75 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page...

CVE-2020-15973

Insufficient policy enforcement in extensions in Google Chrome prior to 86.0.4240.75 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension...

Information Disclosure

chromium-browser is vulnerable to information disclosure. The vulnerability exists in the fetch API of the WebKit component. It allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site...

Information Disclosure

firefox is vulnerable to information disclosure. The vulnerability exists as Response header name interning does not have same-origin protections and these headers are stored in a global registry. This allows stored header names to be available cross-origin. This vulnerability affects Firefox 55...

Information Disclosure

firefox is vulnerable to information disclosure. When a Web Extension contains the all-urls permission and performed a fetch request with mode set to same-origin, an attacker will be able to read local files...

Policy Violation

thunderbird is vulnerable to policy violation. A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries. This is a same-origin policy violation and could allow...

GHSA-6QQJ-RX4W-R3CJ CSRF Vulnerability in jquery-ujs

Versions 1.0.3 and earlier of jquery-ujs are vulnerable to an information leakage attack that may enable attackers to launch CSRF attacks, as it allows attackers to send CSRF tokens to external domains. When an attacker controls the href attribute of an anchor tag, or the action attribute of a fo...

GHSA-363H-VJ6Q-3CMJ Rosetta-Flash JSONP Vulnerability in hapi

This description taken from the pull request provided by Patrick Kettner. Versions 6.1.0 and earlier of hapi are vulnerable to a rosetta-flash attack, which can be used by attackers to send data across domains and break the browser same-origin-policy. Recommendation - Update hapi to version 6.1.1...

Security update for MozillaFirefox (important)

openSUSE Security Update: Security update for MozillaFirefox Announcement ID: openSUSE-SU-2020:1155-1 Rating: important References: 1174538 Cross-References: CVE-2020-15652 CVE-2020-15653 CVE-2020-15654 CVE-2020-15655 CVE-2020-15656 CVE-2020-15657 CVE-2020-15658 CVE-2020-15659 CVE-2020-6463...

CVE-2020-15135

save-server npm package before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation Tokens etc.. The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...

CVE-2020-15135

save-server npm package before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation Tokens etc.. The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...

Cross site request forgery (csrf)

save-server npm package before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation Tokens etc.. The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...

CVE-2020-15135

The CVE-2020-15135 entry concerns the save-server npm package, where versions before 1.05 are vulnerable to CSRF due to no CSRF mitigation. The issue enables a attacker, via a malicious site, to perform actions like uploading/deleting files, adding redirects, and potentially managing users if the...

SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2020:2100-1)

This update for MozillaFirefox fixes the following issues : Firefox Extended Support Release 78.1.0 ESR - Fixed: Various stability, functionality, and security fixes bsc1174538 - CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker - CVE-2020-6514: WebRTC data chann...

Apple Safari Reader Component Logic Flaw Vulnerability

Apple Safari is a web browser from Apple Inc. and is the default browser that comes with the Mac OS X and iOS operating systems.Safari Reader is one of the reader components.... A security vulnerability exists in the Safari Reader component in Apple Safari versions prior to 13.1.2, iOS versions...

Microsoft Edge (Chromium) < 80.0.361.66 Insufficient Policy Enforcement

The version of Microsoft Edge Chromium installed on the remote Windows host is prior to 80.0.361.66. It is, therefore, affected by an insufficient policy enforcement vulnerability. An unauthenticated, remote attacker can exploit this, via a crafted HTML page, to bypass same-origin policy. Note th...

X (Formerly Twitter): Android WebViews in Twitter app are vulnerable to UXSS due to configuration and CVE-2020-6506

Summary: CVSS score: 8.1 / High / CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Embargo notice: Do Not Disclose publicly until https://crbug.com/1083819 is disclosed. Twitter for Android is affected by a UXSS vulnerability due to its configuration of Android WebView and CVE-2020-6506. Vendor...

CVE-2018-18499

A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries. This is a same-origin policy violation and could allow for data theft. This vulnerability affects...

Unspecified Vulnerability in Mattermost Server

Mattermost Server is the United States Mattermost company's set of open source messaging platform. A security vulnerability exists in the WebSocket functionality in Mattermost Server versions prior to 3.6.2, which stems from the program not following the same-origin policy. No details of the...