Lucene search

K

27 matches found

CVE
CVE
added 2020/04/29 9:15 p.m.6753 views

CVE-2020-11023

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3...

6.9CVSS7.2AI score0.21987EPSS
In wild
CVE
CVE
added 2019/04/20 12:29 a.m.2265 views

CVE-2019-11358

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

6.1CVSS6.4AI score0.04527EPSS
In wild
CVE
CVE
added 2020/03/07 1:15 a.m.1447 views

CVE-2020-9281

A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).

6.1CVSS5.4AI score0.00693EPSS
CVE
CVE
added 2017/03/15 4:59 p.m.786 views

CVE-2016-7103

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

6.1CVSS6AI score0.01383EPSS
In wild
CVE
CVE
added 2021/10/26 3:15 p.m.769 views

CVE-2021-41184

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS ...

6.5CVSS6.5AI score0.26281EPSS
Web
CVE
CVE
added 2021/10/26 3:15 p.m.636 views

CVE-2021-41182

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now trea...

6.5CVSS6.4AI score0.26482EPSS
CVE
CVE
added 2021/01/26 9:15 p.m.623 views

CVE-2021-26272

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted URL-like text into the editor, and then press Enter or Space (in the Autolink plugin).

6.5CVSS6.6AI score0.00203EPSS
CVE
CVE
added 2022/03/16 5:15 p.m.570 views

CVE-2022-24729

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the dialog plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser...

7.5CVSS6.7AI score0.0043EPSS
CVE
CVE
added 2021/10/26 3:15 p.m.554 views

CVE-2021-41183

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now alway...

6.5CVSS6.5AI score0.02663EPSS
CVE
CVE
added 2021/01/26 9:15 p.m.541 views

CVE-2021-26271

It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).

6.5CVSS6.6AI score0.00639EPSS
CVE
CVE
added 2022/03/16 4:15 p.m.491 views

CVE-2022-24728

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitizatio...

5.4CVSS5.9AI score0.00604EPSS
CVE
CVE
added 2021/11/17 7:15 p.m.451 views

CVE-2021-41164

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result ...

8.2CVSS6.2AI score0.00051EPSS
CVE
CVE
added 2021/08/12 5:15 p.m.362 views

CVE-2021-32809

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 Clipboard package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It af...

5.4CVSS5.8AI score0.00206EPSS
Web
CVE
CVE
added 2021/08/13 12:15 a.m.317 views

CVE-2021-37695

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 Fake Objects package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using th...

7.3CVSS6AI score0.00333EPSS
CVE
CVE
added 2021/08/12 5:15 p.m.239 views

CVE-2021-32808

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing J...

7.6CVSS6.1AI score0.01222EPSS
CVE
CVE
added 2021/11/17 8:15 p.m.201 views

CVE-2021-41165

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result i...

8.2CVSS6.2AI score0.00089EPSS
CVE
CVE
added 2021/06/28 8:15 p.m.160 views

CVE-2021-32723

Prism is a syntax highlighting library. Some languages before 1.24.0 are vulnerable to Regular Expression Denial of Service (ReDoS). When Prism is used to highlight untrusted (user-given) text, an attacker can craft a string that will take a very very long time to highlight. This problem has been f...

7.4CVSS6.5AI score0.00373EPSS
CVE
CVE
added 2020/10/07 4:15 p.m.153 views

CVE-2020-26870

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

6.1CVSS6.1AI score0.0029EPSS
CVE
CVE
added 2020/10/30 11:15 a.m.150 views

CVE-2020-7760

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vu...

7.5CVSS6.1AI score0.0034EPSS
CVE
CVE
added 2020/11/12 9:15 p.m.138 views

CVE-2020-27193

A cross-site scripting (XSS) vulnerability in the Color Dialog plugin for CKEditor 4.15.0 allows remote attackers to run arbitrary web script after persuading a user to copy and paste crafted HTML code into one of editor inputs.

6.1CVSS5.9AI score0.00908EPSS
CVE
CVE
added 2021/07/21 12:15 a.m.71 views

CVE-2021-2460

Vulnerability in the Oracle Application Express Data Reporter component of Oracle Database Server. The supported version that is affected is Prior to 21.1.0.00.04. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to com...

5.4CVSS5AI score0.00255EPSS
CVE
CVE
added 2020/04/15 2:15 p.m.59 views

CVE-2020-2514

Vulnerability in the Oracle Application Express component of Oracle Database Server. The supported version that is affected is Prior to 19.2. Easily exploitable vulnerability allows low privileged attacker having End User Role privilege with network access via HTTPS to compromise Oracle Application...

4.9CVSS4AI score0.00424EPSS
CVE
CVE
added 2020/10/21 3:15 p.m.50 views

CVE-2020-14762

Vulnerability in the Oracle Application Express component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having SQL Workshop privilege with network access via HTTP to compromise Oracle Application E...

5.4CVSS5.4AI score0.00185EPSS
CVE
CVE
added 2020/10/21 3:15 p.m.46 views

CVE-2020-14900

Vulnerability in the Oracle Application Express Group Calendar component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise...

5.4CVSS5AI score0.00185EPSS
CVE
CVE
added 2020/10/21 3:15 p.m.41 views

CVE-2020-14763

Vulnerability in the Oracle Application Express Quick Poll component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise Ora...

5.4CVSS5.3AI score0.00185EPSS
CVE
CVE
added 2020/10/21 3:15 p.m.37 views

CVE-2020-14899

Vulnerability in the Oracle Application Express Data Reporter component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise ...

5.4CVSS5AI score0.00185EPSS
CVE
CVE
added 2020/10/21 3:15 p.m.35 views

CVE-2020-14898

Vulnerability in the Oracle Application Express Packaged Apps component of Oracle Database Server. The supported version that is affected is Prior to 20.2. Easily exploitable vulnerability allows low privileged attacker having Valid User Account privilege with network access via HTTP to compromise ...

5.4CVSS5AI score0.00185EPSS