Lucene search
+L

344 matches found

cvelist
cvelist
added 2025/04/01 12:28 p.m.21 views

CVE-2025-3029 URL Bar Spoofing via non-BMP Unicode characters

A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9...

0.00325EPSS
Exploits0References5
debiancve
debiancve
added 2025/04/01 12:28 p.m.11 views

CVE-2025-3029

A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9...

7.3CVSS6.6AI score0.00325EPSS
Exploits0
freebsd
freebsd
added 2025/04/01 12:0 a.m.9 views

Mozilla -- URL spoofing attack

[email protected] reports: A crafted URL containing specific Unicode characters could have hidden the true origin of the page, resulting in a potential spoofing attack...

7.3CVSS7.2AI score0.00325EPSS
Exploits0References1
osv
osv
added 2025/02/12 7:45 p.m.61 views

GHSA-HCRG-FC28-FCG5 parse-duration has a Regex Denial of Service that results in event loop delay and out of memory

Summary This report finds 2 availability issues due to the regex used in the parse-duration npm package: 1. An event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB...

7.5CVSS7.4AI score0.00746EPSS
Exploits0References5
nvd
nvd
added 2025/02/12 7:15 p.m.47 views

CVE-2025-25283

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from...

7.5CVSS0.00746EPSS
Exploits0References3
cve
cve
added 2025/02/12 6:21 p.m.100 views

CVE-2025-25283

CVE-2025-25283 concerns parse-duration (node package). Versions prior to 2.1.3 are vulnerable to event-loop delay due to CPU-bound duration resolution and may cause an out-of-memory crash with large Unicode-containing inputs. A patch is available in 2.1.3; remediation is to upgrade to that versio...

7.5CVSS7.4AI score0.00746EPSS
Exploits0References3
hackerone
hackerone
added 2025/01/04 8:40 a.m.723 views

Doppler: WAF bypass and java script incomplete handling of Unicode characters might leads to dom-xss

hello, WAF : doppler uses cloudfare firewall to prevent unwanted malicous injections "https://share.doppler.com/ext/jquery/dist/jquery.min.js?c=%22%3Cscript%3Ealert%27XSS%27%3C/script%3E%22" by accessing the endpoint you'll get to know that! But I found that this code ""%0D%0A%0D%0A" bypass the...

7AI score
Exploits0
redhatcve
redhatcve
added 2024/11/05 10:1 p.m.15 views

CVE-2024-47611

XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows MinGW-w64 or MSVC, the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters for exampl...

5.3CVSS7.3AI score0.00756EPSS
Exploits0References5
osv
osv
added 2024/10/02 2:16 p.m.12 views

CVE-2024-47611 XZ Utils on Microsoft Windows platform are vulnerable to argument injection

XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows MinGW-w64 or MSVC, the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters for exampl...

6.3CVSS6AI score0.00756EPSS
Exploits0References4
schneier
schneier
added 2024/09/27 11:1 a.m.10 views

NIST Recommends Some Common-Sense Password Rules

NIST's second draft of its "SP 800-63-4"--its digital identify guidelines--finally contains some really good rules about passwords: The following requirements apply to passwords: 1. lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require...

7.9AI score
Exploits0
nvd
nvd
added 2024/09/10 4:15 p.m.34 views

CVE-2024-45412

Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial o...

7.5CVSS0.0078EPSS
Exploits1References3
debian
debian
added 2024/08/26 3:55 p.m.61 views

[SECURITY] [DLA 3856-1] python-html-sanitizer security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3856-1 [email protected] https://www.debian.org/lts/security/ Chris Lamb August 26, 2024 https://wiki.debian.org/LTS -...

6.1CVSS6.5AI score0.00551EPSS
Exploits0
osv
osv
added 2024/08/08 7:17 a.m.18 views

BIT-DJANGO-2024-41991

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters...

7.5CVSS7.3AI score0.00946EPSS
Exploits0References5
redhatcve
redhatcve
added 2024/08/07 4:9 p.m.23 views

CVE-2024-41991

A flaw was found in Django. 'urlize', 'urlizetrunc', and 'AdminURLFieldWidget' may be subject to a denial of service attack via certain inputs with a very large number of Unicode characters. Mitigation Mitigation for this issue is either not available or the currently available options do not mee...

7.5CVSS7.5AI score0.00946EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2024/08/07 12:0 a.m.17 views

CVE-2024-41991

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters...

6.7AI score0.00946EPSS
Exploits0References3
osv
osv
added 2024/08/07 12:0 a.m.15 views

CVE-2024-41991

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize and urlizetrunc template filters, and the AdminURLFieldWidget widget, are subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters...

7.5CVSS6.5AI score0.00946EPSS
Exploits0References6
mskb
mskb
added 2024/08/06 12:0 a.m.9 views

August 6, 2024, update for Access 2016 (KB5002589)

None None...

6.1AI score
Exploits0
ubuntucve
ubuntucve
added 2024/05/06 3:15 p.m.32 views

CVE-2024-34078

html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...

6.1CVSS6.2AI score0.00551EPSS
Exploits0References4
redhat
redhat
added 2024/04/23 5:18 p.m.5 views

python-django: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``

An uncontrolled resource consumption vulnerability was found in Django. Feeding certain inputs with a very large number of Unicode characters to the URI to IRI encoder function can lead to a denial of service...

7.5CVSS7.1AI score0.01273EPSS
Exploits0References5
nvd
nvd
added 2024/04/19 3:15 p.m.24 views

CVE-2024-32038

Wazuh is a free and open source platform used for threat prevention, detection, and response. There is a buffer overflow hazard in wazuh-analysisd when handling Unicode characters from Windows Eventchannel messages. It impacts Wazuh Manager 3.8.0 and above. This vulnerability is fixed in Wazuh...

9.8CVSS9.7AI score0.01047EPSS
Exploits0References1
Rows per page
Query Builder