31852 matches found
Cross-site Scripting (XSS)
Overview org.webjars.npm:tinymce is a WebJar for tinymce. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of SVG namespace scope by the sanitizer. An attacker can execute arbitrary JavaScript by crafting a payload with nested SVG elements that...
Cross-site Scripting (XSS)
Overview tinymce/tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of SVG namespace scope by the sanitizer. An attacker can execute arbitrary JavaScript by crafting a payload with neste...
Cross-site Scripting (XSS)
Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes. An attacker can execute arbitrary scripts in the context of the user's...
Cross-site Scripting (XSS)
Overview tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes. An attacker can execute arbitrary scripts in the context of the user's...
Cross-site Scripting (XSS)
Overview org.webjars.npm:tinymce is a WebJar for tinymce. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes. An attacker can execute arbitrary scripts in the context of the user's browser by...
Cross-site Scripting (XSS)
Overview tinymce/tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized data-mce-href, data-mce-src, and data-mce-style attributes. An attacker can execute arbitrary scripts in the context of the...
Excessive Iteration
Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Excessive Iteration via the processing of cross-reference streams containing /W values set to 0 0 0 and large /Size values. An...
Cross-site Scripting (XSS)
Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the media plugin when handling crafted data-mce- attributes. An attacker can execute arbitrary scripts in the context of the user's browser by...
Improper Verification of Cryptographic Signature
Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the jwt.decode or jwt.decodecomplete functions when used with a PyJWK key. An attacker can bypass algorithm restrictions and gain unauthorized access to protected resources by signing...
Cross-site Scripting (XSS)
Overview org.webjars.npm:tinymce is a WebJar for tinymce. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the media plugin when handling crafted data-mce- attributes. An attacker can execute arbitrary scripts in the context of the user's browser by injecting...
Cross-site Scripting (XSS)
Overview tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the media plugin when handling crafted data-mce- attributes. An attacker can execute arbitrary scripts in the context of the user's browser by...
Cross-site Scripting (XSS)
Overview tinymce/tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the media plugin when handling crafted data-mce- attributes. An attacker can execute arbitrary scripts in the context of the user's...
Unintended Proxy or Intermediary ('Confused Deputy')
Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the uri parameter being passed directly to urllib.request.urlopen, which allows fetching resources using unsupported schemes such as file, ftp, and data. An attacker can access...
Allocation of Resources Without Limits or Throttling
Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the layout mode text extraction process when handling PDFs with large...
Improper Cleanup on Thrown Exception
Overview Affected versions of this package are vulnerable to Improper Cleanup on Thrown Exception via the getsigningkey function. An attacker can exhaust system resources by sending numerous JWTs with attacker-controlled kid values, causing repeated outbound requests to the JWKS endpoint. Note:...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Base64URL decoding process. An attacker can cause excessive CPU and memory consumption by supplying an arbitrarily large payload segment when verifying detached JWS tokens wit...
Cross-site Scripting (XSS)
Overview tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the mce:protected comments. An attacker can execute arbitrary scripts in the context of affected users by injecting malicious content that...
Cross-site Scripting (XSS)
Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the mce:protected comments. An attacker can execute arbitrary scripts in the context of affected users by injecting malicious content that...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication when decoding JSON Web Tokens. An attacker can forge valid tokens by supplying a public key as the secret for the HMAC algorithm when both asymmetric and HMAC algorithms are supported. PoC python from jwt.apijws...
Cross-site Scripting (XSS)
Overview org.webjars.npm:tinymce is a WebJar for tinymce. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the mce:protected comments. An attacker can execute arbitrary scripts in the context of affected users by injecting malicious content that bypasses sanitizati...
Cross-site Scripting (XSS)
Overview tinymce/tinymce is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the mce:protected comments. An attacker can execute arbitrary scripts in the context of affected users by injecting malicious content th...
Allocation of Resources Without Limits or Throttling
Overview pypdf is an A pure-python PDF library capable of splitting, merging, cropping, and transforming PDF files Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parsing process. An attacker can cause excessive memory consumption b...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the updateAddressInfo and createAddress methods. A user with consume or send permssions can modify the routing-type of an address - e.g. from ANYCAST to MULTICAST. Remediation Upgrade...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the updateAddressInfo and createAddress methods. A user with consume or send permssions can modify the routing-type of an address - e.g. from ANYCAST to MULTICAST. Remediation Upgrade...
Malicious Package
Overview @service-user-notifications/resetnotificationsnotremovable is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection betwe...
Malicious Package
Overview @service-suppliers/setinitialloaded is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...
Malicious Package
Overview @service-user-notifications/setrefreshinterval is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview @service-suppliers/setselectedsupplieractionsaga is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview @service-suppliers/setcountrylist is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...
Malicious Package
Overview @service-suppliers/setsuppliersdata is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...
Malicious Package
Overview @service-suppliers/setsuppliersloadingstart is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview @service-user-notifications/setnotificationsnotremovable is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between...
Malicious Package
Overview @service-suppliers/setsuppliersloadingstop is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview @service-suppliers/resetcountrylist is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...
Malicious Package
Overview @service-suppliers/fetchsupplierscountrylistactionsaga is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between...
Malicious Package
Overview @polka-ui/loader is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @service-suppliers/fetchsuppliersactionsaga is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview @polka-ui/configuration is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...
Malicious Package
Overview @hcs-hybrid/uirouter-core is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @service-suppliers/fetch-suppliers-watcher-saga is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview @polka-ui/reco is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @databus-service-ui/scroll-up-content is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...
Malicious Package
Overview @service-suppliers/select-supplier-watcher-saga is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview @polka-ui/config is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @loans/vehicles-api is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @bcs-bank-complex-ui/deeplink is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @polka-ui/recoc is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious Package
Overview @service-suppliers/fetchinitialsuppliersactionsaga is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that...
Malicious Package
Overview @service-suppliers/fetch-initial-suppliers-watcher-saga is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between...
Malicious Package
Overview @service-suppliers/setselectedsupplier is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...