Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workaroun…
[com.nepxion:discovery] Nepxion Discovery vulnerable to potential Information Disclosure due to Server-Side Request Forgery
Nepxion Discovery is a solution for Spring Cloud. Discovery is vulnerable to a potential Server-Side Request Forgery (SSRF). RouterResourceImpl uses RestTemplate’s getForEntity to retrieve the contents of a URL containing user-controlled input, potenti…
[frontier] Weight not properly refunded after EVM execution
Impact
Previously, the worst case weight was always accounted as the block weight for all cases. In case of large EVM gas refunds, this can lead to block spamming attacks — the adversary can construct blocks with transactions that have large amount of…
[protobuf] protobuf-cpp and protobuf-python have potential Denial of Service issue
Summary
A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on se…
[org.keycloak:keycloak-parent] Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles
A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including version 19.0.1. The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing o…
[com.liferay.portal:release.portal.bom] Liferay Portal Missing Authorization vulnerability
The Layout module in Liferay Portal v7.3.3 through v7.4.3.34, and Liferay DXP 7.3 before update 10, and 7.4 before update 35 does not check user permission before showing the preview of a “Content Page” type page, allowing attackers to view unpublished…
[org.apache.xmlgraphics:batik] Apache Batik vulnerable to Server-Side Request Forgery
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-38648
https://list…
[org.apache.xmlgraphics:batik] Apache Batik Server-Side Request Forgery
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-38398
http…
[rdiffweb] rdiffweb Cross-Site Request Forgery vulnerability
rdiffweb prior to 2.4.6 is vulnerable to cross-site request forgery on the repository settings. A malicious user can change the settings of a repository by sending a URL to the victim. This issue is fixed in version 2.4.6.
References
https://nvd.nist….
[tui-grid] Toast UI Grid vulnerable to Cross-site Scripting
Toast UI Grid is a component to display and edit data. Versions prior to 4.21.3 are vulnerable to cross-site scripting attacks when pasting specially crafted content into editable cells. This issue was fixed in version 4.21.3. There are no known workar…