Cross site scripting

A stored Cross Site Scripting XXS vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application...

CVE-2021-29104 There is a stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below.

A stored Cross Site Scripting XXS vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application...

Esri Arcgis Server 跨站脚本漏洞

ArcGIS Server is the back-end server software component of ArcGIS Enterprise.ArcGIS Server Manager is an application that is installed with ArcGIS Server and provides an intuitive and convenient interface for managing the server. A stored cross-site scripting vulnerability exists in ArcGIS Server...

Cross site scripting

A stored Cross Site Scripting XXS vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application...

USN-5007-1 libuv1 vulnerability

Eric Sesterhenn discovered that libuv incorrectly handled certain strings. An attacker could possibly use this issue to access sensitive information or cause a crash...

ansible: Template Injection through yaml multi-line strings with ansible facts used in template.

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters...

ansible: Template Injection through yaml multi-line strings with ansible facts used in template.

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters...

Speed Booster Pack 4.2.0-beta - Authenticated (admin+) RCE

The plugin did not validate its cachingexcludeurls and cachingincludequerystrings settings before outputting them in a PHP file, which could lead to RCE PoC | Authenticated RCE | Caching Exclude URLs / Cached query strings: POST /wp-admin/admin.php?page=sbp-settings HTTP/2 Host: example.com Cooki...

Advisory ROSA-SA-2021-1962

Software: rpcbind 0.2.0 OS: Cobalt 7.9 CVE-ID: CVE-2017-8779 CVE-Crit: HIGH CVE-DESC: rpcbind before 0.2.4, LIBTIRPC before 1.0.1 and 1.0.2-rc before 1.0.2-rc3 and NTIRPC before 1.4.3 do not consider the maximum RPC data size during memory allocation for XDR strings, allowing remote attackers to...

SNMP – Simply Not My Problem. Or is it?

TL;DR: Use SNMPv3; long gone is default community strings, hello complex passwords! Remove from the internet, if required, implement a VPN solution to restrict access to only authorised parties. SNMP is a protocol used for the remote management of devices on a network. By remote, we mean access...

EulerOS Virtualization for ARM 64 3.0.2.0 : samba (EulerOS-SA-2021-2079)

According to the versions of the samba packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A flaw was found in Samba's libldb. Multiple, consecutive leading spaces in an LDAP attribute can lead to an...

shadowbroker

This repository contains a collection of exploits and tools, including the "EARLYSHOVEL" exploit for RedHat 7.0-7.1 Sendmail 8.11.x, the "EBBISLAND EBBSHAVE" exploit for Solaris 6, 7, 8, 9 & 10, and the "ECHOWRECKER" exploit for remote Samba 3.0.x Linux. The repository also includes a payload...

Regular Expression Denial of Service (ReDOS)

In the npm package color-string, there is a ReDos Regular Expression Denial of Service vulnerability regarding an exponential time complexity for linearly increasing input lengths for hwb color strings. Strings reaching more than 5000 characters would see several milliseconds of processing time;...

GHSA-257V-VJ4P-3W2H Regular Expression Denial of Service (ReDOS)

In the npm package color-string, there is a ReDos Regular Expression Denial of Service vulnerability regarding an exponential time complexity for linearly increasing input lengths for hwb color strings. Strings reaching more than 5000 characters would see several milliseconds of processing time;...

Sanitization Bypass

Overview A type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function...

Cross-Site Scripting (XSS)

striptags is vulnerable to cross-site scripting XSS. A type-confusion vulnerability occurs when concatenating unsanitized strings when an array-like object is passed in as the html parameter. An attacker who is able to control the shape of their input can abuse this behavior to inject and execute...

CVE-2021-32696

The npm package "striptags" is an implementation of PHP's striptags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attack...

CVE-2021-32696

The npm package "striptags" is an implementation of PHP's striptags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attack...

Type confusion

The npm package "striptags" is an implementation of PHP's striptags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attack...

Hardcoded credentials

An issue was discovered on Enphase Envoy R3.x and D4.x devices. There are hardcoded web-panel login passwords for the installer and Enphase accounts. The passwords for these accounts are hardcoded values derived from the MD5 hash of the username and serial number mixed with some static strings. T...