GHSA-84HM-WFH8-C5PG sse-channel: SSE Injection via unsanitized event fields

Impact Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. - Event Spoofing: Attacker can inject arbitrary SSE events into the stream - Client-side...

EUVD-2020-20636

Malware in sbrugna...

EUVD-2024-32546

Malicious code in bioql PyPI...

EUVD-2021-8985

Malicious code in bioql PyPI...

EUVD-2021-8984

Malicious code in bioql PyPI...

ROS-20250710-08

A vulnerability in the OpenWire command handler of the Apache ActiveMQ software platform is related to a lack of control over user input. control over user input. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service by sending specially crafted...

PT-2025-24123 · Unknown · Post Author

Name of the Vulnerable Software and Affected Versions: Post Author versions n/a through 1.1.1 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application, and also...

BIT-NODE-MIN-2022-21824

Due to the formatting logic of the "console.table" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "proto". The prototype pollution has...

CVE-2024-3980

The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application...

CVE-2024-3980

The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application...

CVE-2024-3980

The MicroSCADA Pro/X SYS600 product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application...

Deserialization Of Untrusted Data

manager-pojo is vulnerable to Deserialization Of Untrusted Data. The vulnerability exists because the filterSensitive function of MySQLSinkDTO.java does not properly decode the user input MySQL JDBC URLs, allowing an attacker to control the current state or the flow of the execution...

Stored XSS in Roles

Description Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of an...

CVE-2022-46161

pdfmake is an open source client/server side PDF printing in pure JavaScript. In versions up to and including 0.2.5 pdfmake contains an unsafe evaluation of user controlled input. Users of pdfmake are thus subject to arbitrary code execution in the context of the process running the pdfmake code...

Remote Code Execution

yiisoft/yii is vulnerable to remote code execution. The vulnerability exists in the wakeup function of CDbCriteria.php, due to improper deserialization of untrusted user input, which allows the attacker to control the state or the flow of execution...

CVE-2021-21814

Within the function HandleFileArg the argument filepattern is under control of the user who passes it in from the command line. filepattern is passed directly to strlen to determine the ending location of the char passed in by the user, no checks are done to see if the passed in char is longer th...

phpok sql注入一枚

简要描述： phpok4.2.083，刚下的 详细说明： 1.safekey固定，导致加密函数可逆 2.使用固定的safekey加密后发起攻击请求，加密内容在代码中解密，绕过了过滤 /install/index.php中 $content = filegetcontentsROOT."config.php"; //查找替换 $content = pregreplace'/$config"db"\"file"\s=\s'|"a-zA-Z0-9-\'|";/isU','$config"db""file" = "'.$dbconfig'file'.'";',$content;...

ThinkSNS SQL注射一枚(无视WAF)

简要描述： 开发时候发现的。 详细说明： apps/page/Lib/Action/DiyAction.class.php 192行： public function doCopyTemplate $id = intval $POST 'id' ; $page = $POST 'page'; $channel = $POST 'channel'; $databaseData = D 'Page' -getPageInfo $page, $channel ; $result = $this-checkRole $databaseData 'manager', $databaseData ;...