Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the VectorImage component when a user is tricked into loading a specially crafted SVG file. An attacker can execute arbitrary QML or JavaScript code by embedding malicious payloads within the SVG, potentiall...

Cross-site Scripting (XSS)

Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS when loading SVG files via object or embed elements. Workaround This vulnerability can be avoided by simulating the functionality of the...

UBUNTU-CVE-2022-44729

Server-Side Request Forgery SSRF vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even...

SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2016:3223-1)

MozillaFirefox 45 ESR was updated to 45.6 to fix the following issues : - MFSA 2016-95/CVE-2016-9897: Memory corruption in libGLES - MFSA 2016-95/CVE-2016-9901: Data from Pocket server improperly sanitized before execution - MFSA 2016-95/CVE-2016-9898: Use-after-free in Editor while manipulating...

Updated librsvg and gtk+3.0 packages fix security vulnerability

librsvg before version 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference CVE-2013-1881. gtk+3.0 has been patched to cope with the changes in SVG loading due to the fix in librsvg...

Design/Logic Flaw

Google Chrome before 23.0.1271.64 does not properly restrict the loading of an SVG subresource in the context of an IMG element, which has unspecified impact and remote attack vectors...