24 matches found
Denial-of-Service attack in pyLoad CNL Blueprint using dukpy.evaljs
Dear Maintainers, I am writing to you on behalf of the Tencent AI Sec. We have identified a potential vulnerability in one of your products and would like to report it to you for further investigation and mitigation. Summary The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of...
CVE-2025-54782
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API...
CVE-2025-54782 @nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API...
Arbitrary Code Injection
pyLoad-ng is vulnerable to Arbitrary Code Injection. The vulnerability is due to unsafe JavaScript evaluation caused by insecure CAPTCHA processing logic that allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially on the backend server...
CVE-2022-32269
In Real Player 20.0.8.310, the G2 Control allows injection of unsafe javascript: URIs in local HTTP error pages displayed by Internet Explorer core. This leads to arbitrary code execution...
CVE-2022-42449 HCL Domino Volt is affected by an unrestricted upload of a dangerous file type
Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications...
CVE-2022-27562 HCL Domino Volt is affected by an unrestricted upload of a dangerous file type
Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications...
PT-2025-18330 · Hcl · Hcl Domino Volt
Name of the Vulnerable Software and Affected Versions: HCL Domino Volt affected versions not specified Description: The issue concerns an unsafe default file type filter policy that allows the upload of .html files and the execution of unsafe JavaScript in deployed applications. This could...
CVE-2022-44760
Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications...
CVE-2022-44760 HCL Leap is affected by an unrestricted upload of file with dangerous type vulnerability
Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications...
CVE-2022-44760 HCL Leap is affected by an unrestricted upload of file with dangerous type vulnerability
Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications...
Cross-site Scripting (XSS)
Vega is vulnerable to Cross-site Scripting XSS. The vulnerability is due to unsafe evaluation of JavaScript code due to the lack of an expression interpreter when processing Vega/Vega-lite JSON definitions...
K000150762: jsoup vulnerabilities CVE-2015-6748, CVE-2021-37714, and CVE-2022-36033
Security Advisory Description CVE-2015-6748 Cross-site scripting XSS vulnerability in jsoup before 1.8.3. CVE-2021-37714 jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run ...
DEBIAN-CVE-2025-26619
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In vega 5.30.0 and lower and in vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be...
PT-2022-4449 · Jsoup +3 · Jsoup +3
Name of the Vulnerable Software and Affected Versions: jsoup versions prior to 1.15.3 Description: The issue is related to the incorrect sanitization of HTML including javascript: URL expressions, which could allow cross-site scripting XSS attacks when a reader subsequently clicks that link. If t...
PT-2022-23955 · Foxit · Foxit Pdf Editor
Name of the Vulnerable Software and Affected Versions: Foxit PDF Editor version 11.1.1.53537 Description: This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the target must visit a malicious page or open a malicious file. Th...
CVE-2022-32269
In Real Player 20.0.8.310, the G2 Control allows injection of unsafe javascript: URIs in local HTTP error pages displayed by Internet Explorer core. This leads to arbitrary code execution...
CVE-2022-32269
In Real Player 20.0.8.310, the G2 Control allows injection of unsafe javascript: URIs in local HTTP error pages displayed by Internet Explorer core. This leads to arbitrary code execution...
CVE-2022-32269
In Real Player 20.0.8.310, the G2 Control allows injection of unsafe javascript: URIs in local HTTP error pages displayed by Internet Explorer core. This leads to arbitrary code execution...
CVE-2022-30970
Jenkins Autocomplete Parameter Plugin 1.1 and earlier references Dropdown Autocomplete parameter and Auto Complete String parameter names in an unsafe manner from Javascript embedded in view definitions, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with...