| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even without the element being appended to the DOM. |
| In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application's UpdateMemento class accepts a serialized Java object directly from the user without properly sanitizing it. A malicious object can be submitted to the server via an authenticated attacker to execute commands on the underlying system. |
| In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception. |
| http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. |
| cPanel before 90.0.10 allows self XSS via the Cron Editor interface (SEC-574). |
| cPanel before 90.0.10 allows self XSS via the Cron Jobs interface (SEC-573). |
| cPanel before 90.0.10 allows self XSS via WHM Manage API Tokens interfaces (SEC-569). |
| The email quota cache in cPanel before 90.0.10 allows overwriting of files. |
| cPanel before 90.0.10 allows self XSS via the WHM Edit DNS Zone interface (SEC-566). |
| cPanel before 88.0.13 allows self XSS via DNS Zone Manager DNSSEC interfaces (SEC-564). |
| cPanel before 88.0.13 allows bypass of a protection mechanism that attempted to restrict package modification (SEC-557). |
| cPanel before 88.0.13 mishandles file-extension dispatching, leading to code execution (SEC-488). |
| cPanel before 88.0.3, upon an upgrade, establishes predictable PowerDNS API keys (SEC-561). |
| cPanel before 88.0.3 has weak permissions (world readable) for the proxy subdomains log file (SEC-558). |
| In cPanel before 88.0.3, insecure chkservd test credentials are used on a templated VM (SEC-554). |
| In cPanel before 88.0.3, an insecure SRS secret is used on a templated VM (SEC-552). |
| In cPanel before 88.0.3, an insecure site password is used for Mailman on a templated VM (SEC-551). |
| In cPanel before 88.0.3, an insecure auth policy API key is used by Dovecot on a templated VM (SEC-550). |
| In cPanel before 88.0.3, insecure RNDC credentials are used for BIND on a templated VM (SEC-549). |
| chsh in cPanel before 88.0.3 allows a Jailshell escape (SEC-497). |
