| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. |
| Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. |
| Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel. |
| Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. |
| Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. |
| Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item. |
| Zope Products.CMFCore before 2.5.1 and Products.PluggableAuthService before 2.6.2, as used in Plone through 5.2.4 and other products, allow Reflected XSS. |
| jitsi-meet-prosody in Jitsi Meet before 2.0.5963-1 does not ensure that restrict_room_creation is set by default. This can allow an attacker to circumvent conference moderation. |
| A local malicious user can circumvent the Falco detection engine through 0.28.1 by running a program that alters arguments of system calls being executed. Issue is fixed in Falco versions >= 0.29.1. |
| Couchbase Server before 7.1.0 has Incorrect Access Control. |
| An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. |
| The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs. |
| Overwolf Client 0.169.0.22 allows XSS, with resultant Remote Code Execution, via an overwolfstore:// URL. |
| PuTTY before 0.75 on Windows allows remote servers to cause a denial of service (Windows GUI hang) by telling the PuTTY window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. NOTE: the same attack methodology may affect some OS-level GUIs on Linux or other platforms for similar reasons. |
| Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 2 of 2). |
| Pexip Infinity before 26 allows remote denial of service because of missing H.264 input validation (issue 1 of 2). |
| Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for deleting files. |
| Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view. |
| OX App Suite 7.10.5 allows XSS via an OX Chat system message. |
| OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering. |