In order for this weakness to be exploited, the following conditions have to apply, at the same time:
method Wrapper::buildClientWrapperCode, or any methods which depend on it, such as Wrapper::wrapXmlrpcServer, Wrapper::wrapXmlrpcMethod or Wrapper::b…
The bundled xml-rpc debugger is susceptible to XSS attacks.
Since the debugger is not designed to be exposed to end users but only to the developers using this library, and in the default configuration it is not exposed to requests from the web, the li…
dompurify prior to version 2.2.3 is vulnerable to a cross-site scripting problem caused by nested headlines.
References
https://github.com/cure53/DOMPurify/releases/tag/2.2.3
https://security.snyk.io/vuln/SNYK-JS-DOMPURIFY-2863266
https://www.vidocsec…
dompurify prior to version 2.2.2 is vulnerable to cross-site scripting when converting from SVG namespace.
References
https://github.com/cure53/DOMPurify/issues/482
https://github.com/cure53/DOMPurify/releases/tag/2.2.2
https://security.snyk.io/vuln/S…
Impact
RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user’s session without the need for interacting with a UI.
RefreshTokens were not invalidated when a user was locked or deactivated. The…
Impact
Gotify exposes an outdated instance of the Swagger UI API documentation frontend at /docs which is susceptible to reflected XSS attacks when loading external Swagger config files.
Specifically, the DOMPurify version included with this version of…
Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content.
The notification-sending component does not check that the subject of the notification can be seen by the receive…
The Rust Security Response WG was notified that Cargo did not perform SSH host key verification when cloning indexes and dependencies via SSH. An attacker could exploit this to perform man-in-the-middle (MITM) attacks.
This vulnerability has been assig…
tag.ex in Phoenix Phoenix.HTML (aka phoenix_html) before 3.0.4 allows XSS in HEEx class attributes.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-46871
https://github.com/phoenixframework/phoenix_html/commit/62a0139fb716bcdce697f6221244bd81d321…
Zip4j through 2.11.2, as used in Threema and other products, does not always check the MAC when decrypting a ZIP archive. This issue has been fixed in version 2.11.3.
References
https://nvd.nist.gov/vuln/detail/CVE-2023-22899
https://breakingthe3ma.ap…
