47 matches found
CVE-2020-11023
The connected Astra Linux bulletin confirms CVE-2020-11023: in jQuery versions >= 1.0.3 and < 3.5.0, passing HTML containing elements from untrusted sources to DOM manipulation methods (e.g., .html(), .append()) may lead to untrusted code execution. Patch released in jQuery 3.5.0. Remediat...
CVE-2019-11358
CVE-2019-11358 is a prototype pollution vulnerability in jQuery (before 3.4.0) where mishandling of extend(true, {}, ...) can extend Object.prototype if an unsanitized source object has an enumerable proto property. The Core issue is triggered when a polluted prototype is introduced via nested ob...
CVE-2020-9281
CVE-2020-9281 is an XSS in CKEditor’s HTML Data Processor that allows remote script execution via a crafted protected comment (CKEditor syntax cke_protected). Affected are CKEditor 4.0–before 4.14. IBM DOORS/DOORS Web Access bullets include this CVE and note remediation: upgrade to CKEditor 4.17....
CVE-2021-41182
CVE-2021-41182 is an XSS in the jQuery-UI Datepicker altField path (embedded in some OTRS deployments). Affected version observed as 1.12.1 copy; the issue is fixed in jQuery UI 1.13.0 by treating any altField value as a CSS selector. Debris from related CVEs (41183/41184) describe similar issues...
CVE-2021-41184
CVE-2021-41184 describes an XSS in jQuery-UI before 1.13.0 where untrusted input passed to the of option of the .position() utility could lead to code execution. The connected documents confirm the issue affects jQuery-UI embedded in other software (e.g., OTRS/IU contexts) and state the fix is to...
CVE-2016-7103
CVE-2016-7103 is a cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0, exploitable via the closeText parameter of the Dialog widget. The issue allows remote script/HTML injection. Remediation per connected documents is to upgrade to jQuery UI 1.12.0 or later (fixed version).
CVE-2021-26272
CVE-2021-26272 is a ReDoS in CKEditor 4 Autolink: by pasting crafted URL-like text and pressing Enter/Space, a victim can trigger a denial-of-service. The publicly documented detail confirms CKEditor 4.x up to before 4.16 is affected; remediation is to upgrade to CKEditor 4.16+ or apply a fix as ...
CVE-2021-41183
CVE-2021-41183 concerns jQuery-UI’s Datepicker in the embedded jQuery-UI copy used by OTRS (notably in the 1.12.1 series). The vulnerability arises from accepting values for the various *Text options from untrusted sources, which could allow execution of untrusted code. The issue is fixed in jQue...
CVE-2022-24729
CVE-2022-24729 affects CKEditor4 prior to 4.18.0, where the dialog plugin has a vulnerability in the input validator regex that can cause a severe performance drop, leading to browser tab freeze (ReDoS). The issue is documented with a confirmed remediation: upgrade to CKEditor4 4.18.0 or newer. C...
CVE-2021-26271
CVE-2021-26271 affects CKEditor 4 before 4.16. An attacker could trigger a ReDoS-type DoS by persuading a victim to paste crafted text into the Styles input of dialogs (Advanced Tab in the Dialogs plugin). Affected versions are CKEditor 4.x prior to 4.16; remediation is to upgrade to 4.16 or newe...
CVE-2022-24728
CKEditor4 core HTML processing vulnerability (CVE-2022-24728) allows injecting malformed HTML that bypasses sanitization, potentially enabling JavaScript execution in CKEditor 4 plugins. A fix is available in version 4.18.0; versions prior to 4.18.0 are affected. No public workarounds are provide...
CVE-2021-41164
CKEditor4 contains an Advanced Content Filter (ACF) vulnerability (CVE-2021-41164) that allows injection of malformed HTML bypassing sanitization, enabling JavaScript execution. Affected: CKEditor4
CVE-2021-32809
CVE-2021-32809 concerns CKEditor 4’s Clipboard functionality. Affected: CKEditor 4, Clipboard plugin, version >= 4.5.2. Root cause: HTML injected via malformed paste content could be executed within the editor’s context. Impact: potential HTML injection into the editor content (code injection ...
CVE-2021-37695
CKEditor 4 vulnerability CVE-2021-37695 involves the Fake Objects addon. The issue allows injection of malformed Fake Objects HTML that can lead to JavaScript execution in affected CKEditor 4 plugins when used at versions prior to 4.16.2. Public references in connected documents confirm the affec...
CVE-2019-10219
The CVE-2019-10219 entry affects Hibernate Validator: SafeHtml validator annotation fails to sanitize HTML comments/instructions, enabling XSS in affected code paths. Affected CP4S versions are 1.7.2.0, 1.8.0.0, and 1.8.1.0. Remediation is to upgrade to Cloud Pak for Security 1.9.0.0 per IBM guid...
CVE-2021-32808
CKEditor 4.x clipboard Widget plugin vulnerability (CVE-2021-32808) arises from improper validation of widget HTML when used with the undo feature, allowing a remote attacker to trigger JavaScript execution in the victim’s browser. Affected: CKEditor 4 plugins with version >= 4.13.0. Remediati...
CVE-2020-26870
CVE-2020-26870 affects DOMPurify up to 2.0.16/2.0.17, where a serialize-parse roundtrip can alter the DOM (namespace changes HTML→MathML, e.g., nesting FORM elements), enabling a mutation XSS. The issue is documented by Cure53 and linked analyses; a fix was released with DOMPurify 2.0.17. Related...
CVE-2021-41165
CKEditor4 core HTML processing vulnerability (CVE-2021-41165) allows injection of malformed HTML comments bypassing content sanitization, potentially enabling JavaScript execution. Affected: CKEditor 4.x versions before 4.17.0 (affects all plugins). Impact: execution of arbitrary script in affect...
CVE-2020-7760
This CVE-2020-7760 affects CodeMirror prior to 5.58.2 (and org.apache.marmotta.webjars:codemirror) with a ReDOs vulnerability in a JavaScript mode regex (sub-pattern (s|/. ?/) ). IBM’s bulletin confirms the same issue and notes watsonx.data is affected (version 2.2.1) and that remediation is to u...
CVE-2021-32723
PrismJS Prism before v1.24.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when highlighting untrusted text. Specifically, ASCIIDoc and ERB are susceptible to crafted input that can cause excessive highlighting time; other languages are not affected. The vulnerability has been fix...
CVE-2020-27193
CVE-2020-27193 is an XSS in CKEditor 4.15.0 Color Dialog. A remote attacker can lure a user to paste crafted HTML into the editor, causing script execution in the user’s browser. The vulnerability is addressed by CKEditor 4.15.1 security patch; IBM/OSS bulletins also reference the fix. Affected p...
CVE-2023-21983
Oracle Application Express (APEX) Application Express Administration is affected for versions 18.2–22.2. The vulnerability allows an unauthenticated attacker over HTTP with network access to force unauthorized updates/deletes/inserts to certain Administration data, read access to a subset of data...
CVE-2023-21975
The CVE-2023-21975 affects Oracle Application Express, specifically the Application Express Customers Plugin (component: User Account) with vulnerable versions 18.2–22.2. The root cause is insufficient input validation in the Customers Plugin, enabling a remote attacker to modify, add, or delete ...
CVE-2021-2460
CVE-2021-2460 affects Oracle Database Server's Oracle Application Express Data Reporter component, with versions prior to 21.1.0.00.04 affected. The vulnerability allows a low-privileged attacker with a valid user account and network access over HTTP to compromise Data Reporter, requiring user in...
CVE-2023-21974
The CVE-2023-21974 entry maps to Oracle Application Express Team Calendar Plugin (versions 18.2–22.1). The vulnerability stems from insufficient input validation in the plugin’s User Account component, allowing a low-privileged attacker with network access via HTTP to compromise the plugin, with ...
CVE-2016-3448
CVE-2016-3448 is an unspecified vulnerability in the Application Express component of Oracle Database Server, affecting versions before 5.0.4. The issue allows remote, unauthenticated attackers to impact confidentiality and integrity via unknown vectors. It is listed among Oracle July 2016 CPU fi...
CVE-2020-2514
CVE-2020-2514 affects the Oracle Application Express (APEX) component of Oracle Database Server , with affected versions before 19.2. The vulnerability allows a low-privileged End User with network access via HTTPS to compromise APEX, with exploitation requiring user interaction . Consequences st...
CVE-2024-21261
Oracle Application Express (APEX) General component is affected in versions 23.2 and 24.1. The issue stems from insufficient input validation in the General component, allowing a low-privileged, network-accessible attacker (via HTTP) to perform unauthorized updates, inserts, deletes, and read acc...
CVE-2018-2699
CVE-2018-2699 affects Oracle Database Server’s Application Express component (prior to 5.1.4.00.08). The vulnerability allows an unauthenticated, network-accessible attacker to compromise Application Express via HTTP, with impact including unauthorized update/insert/delete and read access to Appl...
CVE-2020-2513
CVE-2020-2513 affects Oracle Application Express (APEX) within Oracle Database Server, affecting 5.1–19.2. The vulnerability can be exploited by a low-privileged user with SQL Workshop privilege over HTTP, requiring user interaction, to read and modify APEX data and potentially read restricted da...
CVE-2020-2971
CVE-2020-2971 affects Oracle Application Express within Oracle Database Server (versions 5.1–19.2). The vulnerability allows a low-privileged attacker with SQL Workshop privilege and network access via HTTP to compromise APEX. Attacks require human interaction, and the impact can include unauthor...
CVE-2020-14762
CVE-2020-14762 concerns Oracle Database Server’s Oracle Application Express component, affected prior to 20.2. An attacker with SQL Workshop privilege, network access via HTTP, and user interaction can potentially read and modify Oracle APEX data and may impact other products. CVSS 3.1Base Score ...
CVE-2020-14900
Oracle CVE-2020-14900 affects the Oracle Application Express Group Calendar component in Oracle Database Server (older than 20.2). The vulnerability allows a low-privileged user with a valid account, over HTTP, to perform unauthorized updates, inserts, or deletes and read access to certain data, ...
CVE-2020-2972
CVE-2020-2972 relates to Oracle Database Server’s Oracle Application Express (APEX). Affected versions are 5.1–19.2. The vulnerability is exploitable by a low-privileged attacker who has the SQL Workshop privilege and network access via HTTP to compromise APEX. Successful exploits can lead to una...
CVE-2020-2973
CVE-2020-2973 affects Oracle Database Server’s Oracle Application Express component. Affected versions are 5.1–19.2. The vulnerability allows a low-privileged attacker with SQL Workshop privilege and HTTP network access to influence Oracle Application Express, with user interaction required. Impa...
CVE-2020-2975
CVE-2020-2975 affects the Oracle Database Server via the Oracle Application Express (APEX) component. Affected versions are 5.1–19.2. The vulnerability can be exploited by a low-privilege attacker who has SQL Workshop privilege and network access via HTTP to compromise APEX. Attacks require user ...
CVE-2020-14763
CVE-2020-14763 affects Oracle Database Server’s Application Express Quick Poll component, with the affected version being prior to 20.2. A low-privileged attacker with a valid user account and network access via HTTP can compromise Quick Poll, with successful attacks potentially leading to unauth...
CVE-2020-2977
CVE-2020-2977 affects Oracle Database Server via the Application Express (APEX) component. Affected: APEX versions 5.1–19.2. The vulnerability is exploitable by a low-privilege user with a Valid User Account, who can access the server over HTTP and requires user interaction. Consequences include ...
CVE-2016-3467
Oracle Database Server Version(s) affected: Application Express component in Oracle Database Server prior to 5.0.4. Description: an unspecified vulnerability in the Application Express component allows remote attackers to affect availability via unknown vectors. Evidence in connected sources conf...
CVE-2025-21557
CVE-2025-21557 affects Oracle Application Express (General component) with affected versions 23.2 and 24.1. The issue allows a low-privileged, network-facing attacker over HTTP to cause unauthorized update/insert/delete and read access to Oracle APEX data, requiring user interaction. Root cause r...
CVE-2020-2976
CVE-2020-2976 affects Oracle Database Server’s Oracle Application Express (APEX) component. Affected versions are 5.1–19.2. The vulnerability allows a low-privileged attacker with SQL Workshop privilege and HTTP network access to compromise APEX. Exploitation requires user interaction and can lea...
CVE-2020-2974
CVE-2020-2974 describes a vulnerability in the Oracle Application Express component of Oracle Database Server, affecting Oracle APEX versions 5.1–19.2. The vulnerability can be exploited by a low-privileged attacker with SQL Workshop privilege and network access via HTTP, with exploitation requir...
CVE-2020-14899
CVE-2020-14899 affects the Oracle Application Express Data Reporter component of Oracle Database Server (pre-20.2). The issue is exploitable by a low-privilege user with a valid account, via HTTP, and requires user interaction. An attacker can modify and delete data and also obtain unauthorized r...
CVE-2008-1811
CVE-2008-1811 relates to Oracle Application Express 3.0.1. The vulnerability lies in the flows_030000.wwv_execute_immediate.run_ddl function within the wwv_execute_immediate package, in the flows_030000 schema, enabling privilege escalation by certain remote authenticated users (non-DBA). The iss...
CVE-2020-14898
CVE-2020-14898 affects Oracle Database Server’s Oracle Application Express Packaged Apps (APEX) prior to version 20.2. The issue allows a low-privilege user with a valid account and network access via HTTP to interact with a vulnerable APEX Packaged Apps component, potentially resulting in unauth...
CVE-2008-1822
CVE-2008-1822 describes an unspecified vulnerability in the Oracle Application Express component of Oracle Application Express 3.0.1 (aka APEX02). The connected sources indicate the issue has unknown impact and remote attack vectors, with a NVD CVSS v2 base score of 10.0 (HIGH). There are no prov...
CVE-2025-50067
CVE-2025-50067 affects Oracle Application Express, specifically the Strategic Planner Starter App. Affected versions are 24.2.4 and 24.2.5. An attacker with network access over HTTP and low privileges can exploit via social interaction to take over the Oracle APEX instance. The CVSS base score is...