When the Struts2 debug mode is turned on, under certain conditions an arbitrary script may be executed in the ‘Problem Report’ screen. Also if JSP files are exposed to be accessed directly it’s possible to execute an arbitrary script.
It is generally …
[org.apache.struts:struts2-core] Cross-site Scripting in Apache Struts
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte cha…
[opencc] Open Chinese Convert subject to Denial of Service via Out-of-bounds Read
Open Chinese Convert (OpenCC) 1.0.5 allows attackers to cause a denial of service (segmentation fault) because BinaryDict::NewFromFile in BinaryDict.cpp may have out-of-bounds keyOffset and valueOffset values via a crafted .ocd file.
References
https:…
[league/commonmark] PHP League CommonMark vulnerable to Cross-Site Scripting (XSS)
Cross-site scripting (XSS) vulnerability in the PHP League CommonMark library versions 0.15.6 through 0.18.x before 0.18.1 allows remote attackers to insert unsafe URLs into HTML (even if allow_unsafe_links is false) via a newline character (e.g., writ…
[com.sonyericsson.hudson.plugins.rebuild:rebuild] Cross-site Scripting in Jenkins Rebuilder Plugin
A cross-site scripting vulnerability exists in Jenkins Rebuilder Plugin 1.28 and earlier in
RebuildAction/BooleanParameterValue.jelly,
RebuildAction/ExtendedChoiceParameterValue.jelly,
RebuildAction/FileParameterValue.jelly,
RebuildAction/LabelP…
[org.apache.tomee:tomee-webapp] Apache TomEE console vulnerable to Cross-site Scripting
The Apache TomEE console (tomee-webapp) has a XSS vulnerability which could allow javascript to be executed if the user is given a malicious URL. This web application is typically used to add TomEE features to a Tomcat installation. The TomEE bundles d…
[jquery] jQuery vulnerable to Cross-Site Scripting (XSS)
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
References
https://nvd.nist.gov/vuln/detail/CVE-2011-4969
h…
[org.jenkins-ci.main:jenkins-core] Cross-site Scripting in Jenkins Core
A cross-site scripting vulnerability exists in Jenkins 2.115 and older, LTS 2.107.1 and older, in confirmationList.jelly and stopButton.jelly that allows attackers with Job/Configure and/or Job/Create permission to create an item name containing JavaSc…
[org.biouno:uno-choice] Cross-site Scripting in Jenkins Active Choices plugin
Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the ‘Build With Parameters’ page through the ‘Active Choices Reactive Reference Parameter’ type. This could inc…
[com.googlecode.wicket-jquery-ui:wicket-jquery-ui-parent] Cross-site Scripting in wicket-jquery-ui
In wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-1325
https://markmail.org/message/6bxjyaolehhq7jrl
https://github.com…