25 matches found
Cockpit CMS 跨站脚本漏洞
Cockpit CMS is an open-source headless content management system developed by Cockpit. Versions of Cockpit CMS 2.14.0 and earlier had a cross-site scripting vulnerability. This vulnerability stemmed from the use of the $interpolate function in template strings within the Display template options,...
CLSA-2026-1771855894 python-virtualenv: Fix of CVE-2024-53899
CVE-2024-53899: Quote template strings in activation scripts...
CLSA-2026-1771855453 python-virtualenv: Fix of CVE-2024-53899
CVE-2024-53899: Quote template strings in activation scripts...
CVE-2025-23026
jte Java Template Engine is a secure and lightweight template engine for Java and Kotlin. In affected versions Jte HTML templates with script tags or script attributes that include a Javascript template string backticks are subject to XSS. The javaScriptBlock and javaScriptAttribute methods in th...
VulnCheck KEV: CVE-2025-47916
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller file: /applications/core/modules/front/system/themeeditor.php, where a protected method named customCss can be invoked by...
Invision Community 安全漏洞
Invision Community is a software for designing and developing mobile application UI from Invision USA. A security vulnerability exists in Invision Community versions prior to 5.0.0 through 5.0.7, which stems from improper handling of template strings and could lead to remote code execution...
CVE-2025-47916
Invision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller file: /applications/core/modules/front/system/themeeditor.php, where a protected method named customCss can be invoked by...
CVE-2025-47916
Invision Community 5.0.0–5.0.6 (and up to 5.0.7 fixed) contains an unauthenticated RCE in the themeeditor.php controller, via the customCss() method. The content parameter is passed to Theme::makeProcessFunction(), allowing the template engine to evaluate crafted template expressions, enabling ar...
CVE-2025-23026 HTML templates containing Javascript template strings are subject to XSS in jte
jte Java Template Engine is a secure and lightweight template engine for Java and Kotlin. In affected versions Jte HTML templates with script tags or script attributes that include a Javascript template string backticks are subject to XSS. The javaScriptBlock and javaScriptAttribute methods in th...
CVE-2025-23026 HTML templates containing Javascript template strings are subject to XSS in jte
jte Java Template Engine is a secure and lightweight template engine for Java and Kotlin. In affected versions Jte HTML templates with script tags or script attributes that include a Javascript template string backticks are subject to XSS. The javaScriptBlock and javaScriptAttribute methods in th...
CVE-2025-23026
Summary: CVE-2025-23026 affects jte (Java Template Engine)
GHSA-VH22-6C6H-RM8Q jte's HTML templates containing Javascript template strings are subject to XSS
Summary Jte HTML templates with script tags or script attributes that include a Javascript template string backticks are subject to XSS. Details The javaScriptBlock and javaScriptAttribute methods in the Escape class source do not escape backticks, which are used for Javascript template strings...
jte's HTML templates containing Javascript template strings are subject to XSS
Summary Jte HTML templates with script tags or script attributes that include a Javascript template string backticks are subject to XSS. Details The javaScriptBlock and javaScriptAttribute methods in the Escape class source do not escape backticks, which are used for Javascript template strings...
CVE-2024-53899
...
virtualenv: potential command injection via virtual environment activation scripts
A flaw was found in the virtualenv Python package. Due to the improper handling of quotes in magic template strings, the virtual environment activation script is vulnerable to OS command injection,leading to the loss of confidentiality,integrity and availability of the system...
virtualenv: potential command injection via virtual environment activation scripts
A flaw was found in the virtualenv Python package. Due to the improper handling of quotes in magic template strings, the virtual environment activation script is vulnerable to OS command injection,leading to the loss of confidentiality,integrity and availability of the system...
Fedora 41 : python3.9 (2024-47e4624c89)
The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-47e4624c89 advisory. Python 3.9.21 security release. Security content in this release -------------------------------- - gh-122792: Changed IPv4-mapped ipaddress.IPv6Address to...
GHSA-RQC4-2HC7-8C8V virtualenv allows command injection through activation scripts for a virtual environment
virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287...
PYSEC-2024-187
virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287...
PYSEC-2024-187
virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287...