221 matches found
Cross-site Scripting (XSS)
Python SimpleHTTPServer is vulnerable to cross-site scripting XSS. The listdirectory function in Lib/SimpleHTTPServer.py does not set a charset parameter in the Content-Type HTTP header, allowing an attacker to inject arbitrary Javascript through UTF-7 encoding into Internet Explorer 7 browser vi...
PhpSpreadsheet < 1.5.0 - XML External Entity (XXE)
Product Description PhpSpreadsheet is a library written in pure PHP that provides a set of classes allowing users to read from and write to different spreadsheet file formats, such as Excel and LibreOffice Calc. Vulnerabilities List One vulnerability was identified within the PhpSpreadsheet...
XXE Vulnerability
This is: - X a bug report - a feature request - not a usage question ask them on https://stackoverflow.com/questions/tagged/phpspreadsheet or https://gitter.im/PHPOffice/PhpSpreadsheet What is the expected behavior? The securityScan function is used to prevent XXE attacks. What is the current...
CVE-2018-19277
securityScan in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file...
CVE-2018-19277
securityScan in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file...
Design/Logic Flaw
securityScan in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file...
CVE-2018-19277
securityScan in PHPOffice PhpSpreadsheet through 1.5.0 allows a bypass of protection mechanisms for XXE via UTF-7 encoding in a .xlsx file...
CVE-2018-19277
CVE-2018-19277 affects PhpSpreadsheet (PHPOffice) up to version 1.5.0. The flaw: the library’s XML handling in Xlsx files can bypass protection via UTF-7 encoding, enabling an XML External Entity (XXE) attack. Root cause per sources: XmlScanner/Xml parsing when declared encoding differs from UTF-...
CVE-2014-9059
lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting XSS attacks via UTF-7 characters during interaction with AJAX scripts...
Cross site scripting
lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting XSS attacks via UTF-7 characters during interaction with AJAX scripts...
CVE-2014-9059
lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting XSS attacks via UTF-7 characters during interaction with AJAX scripts...
McAfee Superscan 4.0 - XSS Vulnerability
No description provided by source. Trustwave SpiderLabs Security Advisory TWSL2013-024: Cross Site Scripting XSS vulnerability in McAfee Superscan 4.0 Published: 08/02/2013 Version: 1.0 Vendor: McAfee http://www.mcafee.com/ Product: SuperScan Version affected: v4.0 Product description: SuperScan ...
Microsoft Internet Explorer 2.0 - UTF-7 HTTP Response Handling Weakness
No description provided by source. source: http://www.securityfocus.com/bid/29112/info Microsoft Internet Explorer is prone to a weakness that can facilitate cross-site scripting attacks. The issue occurs because the application fails to sufficiently sanitize user-supplied input when handling UTF...
MediaWiki 1.x AJAX Index.PHP Cross-Site Scripting Vulnerability
No description provided by source. source: http://www.securityfocus.com/bid/21956/info MediaWiki is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the...
CVE-2013-4884
Cross-site scripting XSS vulnerability in McAfee SuperScan 4.0 allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded sequences in a server response, which is not properly handled in the SuperScan HTML report...
CVE-2013-2031
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting XSS attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox...
CVE-2013-2031
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting XSS attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox...
CVE-2013-2031
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting XSS attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox...
Cross site scripting
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting XSS attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox...
CVE-2013-2031
MediaWiki before 1.19.6 and 1.20.x before 1.20.5 allows remote attackers to conduct cross-site scripting XSS attacks, as demonstrated by a CDATA section containing valid UTF-7 encoded sequences in a SVG file, which is then incorrectly interpreted as UTF-8 by Chrome and Firefox...