GHSA-CCGF-5RWJ-J3HV TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`

Summary telejson versions prior to 6.0.0 released 2022 are vulnerable to DOM-based Cross-Site Scripting XSS through unsafe deserialisation. Attacker-controlled input from the constructor-name property in parsed JSON is passed directly to new Function without sanitisation, allowing arbitrary...

TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`

Summary telejson versions prior to 6.0.0 released 2022 are vulnerable to DOM-based Cross-Site Scripting XSS through unsafe deserialisation. Attacker-controlled input from the constructor-name property in parsed JSON is passed directly to new Function without sanitisation, allowing arbitrary...

geokit-rails Command Injection vulnerability

Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geolocation' cookie. This issue can be exploited remotely via a malicious cookie value. Note: An attacker can use this vulnerability to execute commands on the...

Debian DLA-2032-1 : cacti security update

It was discovered that there was unsafe deserialisation issue in cacti, server monitoring system system. Unsafe deserialisation of objects which can lead to abuse of the application logic, deny service or even execute arbitrary code. For Debian 8 'Jessie', this issue has been fixed in cacti versi...

WordPress Formidable Form Builder plugin <= 4.02 - Unsafe Deserialisation vulnerability

Unsafe Deserialisation vulnerability discovered in WordPress Formidable Form Builder plugin versions = 4.02. Solution Update the WordPress Formidable Form Builder plugin to the latest available version at least 4.02.01...

Formidable < 4.02.01 - Unsafe Deserialisation

The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress WordPress plugin was affected by an Unsafe Deserialisation security vulnerability...