CVE-2021-23450 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2021-23450
All versions of package dojo are vulnerable to Prototype Pollution via the setObject function. Todas las versiones del paquete dojo son vulnerables a la Contaminación de Prototipos por medio de la función setObject • https://github.com/dojo/dojo/blob/4c39c14349408fc8274e19b399ffc660512ed07c/_base/lang.js%23L172 https://lists.debian.org/debian-lts-announce/2023/01/msg00030.html https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2313036 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2313035 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBDOJO-2313034 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2313033 https://snyk.io/vuln/SNYK-JS-DOJO-1535223 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.o • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVE-2021-41184 – XSS in the `of` option of the `.position()` util
https://notcve.org/view.php?id=CVE-2021-41184
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. jQuery-UI es la biblioteca oficial de interfaz de usuario de jQuery. • https://github.com/gabrielolivra/Exploit-Medium-CVE-2021-41184 https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280 https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327 https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3 https://lists.fedoraproject.org/archives/list • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-41182 – XSS in the `altField` option of the Datepicker widget
https://notcve.org/view.php?id=CVE-2021-41182
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources. jQuery-UI es la biblioteca oficial de interfaz de usuario de jQuery. • https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released https://github.com/jquery/jquery-ui/pull/1954/commits/6809ce843e5ac4128108ea4c15cbc100653c2b63 https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3 https://lists.fedoraproj • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-42575 – owasp-java-html-sanitizer: improper policies enforcement may lead to remote code execution
https://notcve.org/view.php?id=CVE-2021-42575
The OWASP Java HTML Sanitizer before 20211018.1 does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements. OWASP Java HTML Sanitizer versiones anteriores a 20211018.1, no aplica apropiadamente las políticas asociadas a los elementos SELECT, STYLE y OPTION • https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50 https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2021-42575 https://bugzilla.redhat.com/show_bug.cgi?id=2027195 • CWE-20: Improper Input Validation •
CVE-2021-38153 – Timing Attack Vulnerability for Apache Kafka Connect and Clients
https://notcve.org/view.php?id=CVE-2021-38153
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0. Algunos componentes de Apache Kafka usan "Arrays.equals" para comprender una contraseña o clave, lo cual es vulnerable a ataques de tiempo que hacen que los ataques de fuerza bruta para dichas credenciales tengan más probabilidades de éxito. Los usuarios deben actualizar a la versión 2.8.1 o superior, o a la 3.0.0 o superior, donde se ha corregido esta vulnerabilidad. • https://kafka.apache.org/cve-list https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r26390c8b09ecfa356582d665b0c01f4cdcf16ac047c85f9f9f06a88c%40%3Cusers.kafka.apache.org%3E https://lists.apache.org/thread.html/r35322aec467ddae34002690edaa4d9f16e7df9b5bf7164869b75b62c%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r45cc0602d5f2cbb72e48896dfadf5e5b87ed85630449598b40e8f0be%40%3Cdev.kafka.apache.org%3E https://lists.apache.org/thread.html/r45c • CWE-203: Observable Discrepancy CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •