HTML Injection

mailgen is vulnerable to HTML injection. The vulnerability is due to improper sanitization of user-supplied content and Mailgen.generatePlaintextemail retaining HTML tags from input. An attacker can supply crafted content to inject HTML into generated plaintext emails...

Cookies Addons - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-087

This module provides a format filter, which allows you to "disable" iframes e.g. remove their src attribute specified by the user. These elements will be enabled again, once the Cookies banner is accepted. The module doesn't sufficiently filter user-supplied content when their value might contain...

DEBIAN-CVE-2025-6196

A flaw was found in libgepub, a library used to read EPUB files. The software mishandles file size calculations when opening specially crafted EPUB files, leading to incorrect memory allocations. This issue causes the application to crash. Known affected usage includes desktop services like...

CVE-2014-3650

Multiple persistent cross-site scripting XSS flaws were found in the way Aerogear handled certain user-supplied content. A remote attacker could use these flaws to compromise the application with specially crafted input...

Cross site scripting

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the tagName property of an Ember.View was inserted into such a string without being sanitized. This means that if an application assigns a view's tagName to...

Deserialization of untrusted data

The Java Remote Management Interface of all versions of Orlansoft ERP was discovered to contain a vulnerability due to insecure deserialization of user-supplied content, which can allow attackers to execute arbitrary code via a crafted serialized Java object...

CVE-2022-24282

A vulnerability has been identified in SINEC NMS All versions = V1.0.3 V2.0, SINEC NMS All versions V1.0.3, SINEMA Server V14 All versions. The affected system allows to upload JSON objects that are deserialized to Java objects. Due to insecure deserialization of user-supplied content by the...

CVE-2020-27131

Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities are due to insecure deserialization of user-supplied content by the...

Deserialization of untrusted data

Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities are due to insecure deserialization of user-supplied content by the...

CVE-2020-27131 Cisco Security Manager Java Deserialization Vulnerabilities

Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities are due to insecure deserialization of user-supplied content by the...

Deserialization of untrusted data

IBM QRadar SIEM 7.3 and 7.4 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to...

Cisco IOS XE Software Privilege Escalation (cisco-sa-priv-esc2-A6jVRu7C)

According to its self-reported version, Cisco IOS XE Software is affected by Privilege Escalation vulnerability. An authenticated, local attacker to escalate their privileges to a user with root-level privileges due to insufficient validation of user-supplied content. This vulnerability could all...

Input validation

A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to escalate their privileges to a user with root-level privileges. The vulnerability is due to insufficient validation of user-supplied content. This vulnerability could allow an attacker to load malicious...

CVE-2020-3214 Cisco IOS XE Software Privilege Escalation Vulnerability

A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to escalate their privileges to a user with root-level privileges. The vulnerability is due to insufficient validation of user-supplied content. This vulnerability could allow an attacker to load malicious...

CVE-2020-3214 Cisco IOS XE Software Privilege Escalation Vulnerability

A vulnerability in Cisco IOS XE Software could allow an authenticated, local attacker to escalate their privileges to a user with root-level privileges. The vulnerability is due to insufficient validation of user-supplied content. This vulnerability could allow an attacker to load malicious...

Deserialization of untrusted data

A vulnerability in the Java deserialization function used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An...

CVE-2019-12630 Cisco Security Manager Java Deserialization Vulnerability

A vulnerability in the Java deserialization function used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An...

mod_auth_openidc security update

1.8.8-5 - Resolves: rhbz1626297 - CVE-2017-6413 modauthopenidc: OIDCCLAIM and OIDCAuthNHeader not skipped in an 'AuthType oauth20' configuration rhel-7 1.8.8-4 - Resolves: rhbz1626299 - CVE-2017-6059 modauthopenidc: Shows user-supplied content on error pages rhel-7...

Deserialization of untrusted data

A Java deserialization vulnerability in Cisco Unity Express CUE could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An...

Microsoft ChakraCore and Edge Memory Corruption Vulnerability

Microsoft Edge is a web browser developed by Microsoft.ChakraCore is the core of the open source Chakra JavaScript scripting engine, which can also be used as a standalone JavaScript engine. A remote code execution vulnerability exists in Microsoft Edge Windows 10 version 1803 and ChakraCore. A...