CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23562 – Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2021-23562
This affects the package plupload before 2.3.9. A file name containing JavaScript code could be uploaded and run. An attacker would need to trick a user to upload this kind of file. Esto afecta al paquete plupload versiones anteriores a 2.3.9. Un nombre de archivo que contenga código JavaScript podría ser cargado y ejecutado. • https://github.com/moxiecode/plupload/blob/master/js/jquery.plupload.queue/jquery.plupload.queue.js%23L226 https://github.com/moxiecode/plupload/commit/d12175d4b5fa799b994ee1bb17bfbeec55b386fb https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-2306665 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-2306663 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBMOXIECODE-2306664 https://snyk.io/vuln/SNYK-JS-PLUPLOAD-1583909 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2021-37573 – Tiny Java Web Server 1.115 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2021-37573
A reflected cross-site scripting (XSS) vulnerability in the web server TTiny Java Web Server and Servlet Container (TJWS) <=1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error page Una vulnerabilidad de tipo cross-site scripting (XSS) reflejado en el servidor web TTiny Java Web Server and Servlet Container (TJWS) versiones anteriores a 1.115 incluyéndola, permite a un adversario inyectar código malicioso en la página de error "404 Page not Found" del servidor Tiny Java Web Server and Servlet Container versions 1.115 and below suffer from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/163825/Tiny-Java-Web-Server-1.115-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2021/Aug/13 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-042.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36438
https://notcve.org/view.php?id=CVE-2020-36438
An issue was discovered in the tiny_future crate before 0.4.0 for Rust. Future<T> does not have bounds on its Send and Sync traits. Se ha detectado un problema en la crate tiny_future versiones anteriores a 0.4.0 para Rust. La función Future(T) no presente límites en sus rasgos Send y Sync • https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/tiny_future/RUSTSEC-2020-0118.md https://rustsec.org/advisories/RUSTSEC-2020-0118.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-35884
https://notcve.org/view.php?id=CVE-2020-35884
An issue was discovered in the tiny_http crate through 2020-06-16 for Rust. HTTP Request smuggling can occur via a malformed Transfer-Encoding header. Se detectó un problema en la crate tiny_http hasta el 16-06-2020 para Rust. El tráfico no autorizado de peticiones HTTP puede ocurrir por medio de un encabezado Transfer-Encoding malformado. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M3JDNRE5RXJOWZZZF5QSCG4GUCSLTHF2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VO6SRTCEPEYO2OX647I3H5XUWLFDRDWL https://rustsec.org/advisories/RUSTSEC-2020-0031.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-7724 – Prototype Pollution
https://notcve.org/view.php?id=CVE-2020-7724
All versions of package tiny-conf are vulnerable to Prototype Pollution via the set function. Todas las versiones del paquete tiny-conf, son vulnerables a una Contaminación de Prototipo por medio de la función set • https://snyk.io/vuln/SNYK-JS-TINYCONF-598792 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •