Page 5 of 80 results (0.011 seconds)

CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0

CVE-2021-22940 – nodejs: Use-after-free on close http2 on stream canceling

https://notcve.org/view.php?id=CVE-2021-22940

Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. Node.js versiones anteriores a 16.6.1, 14.17.5 y 12.22.5, es vulnerable a un ataque de uso de memoria previamente liberada donde un atacante podría ser capaz de explotar la corrupción de memoria para cambiar el comportamiento del proceso. A flaw was found in Node.js, where it is vulnerable to a use-after-free attack. This flaw allows an attacker to exploit memory corruption to change process behavior. The highest threat from this vulnerability is to confidentiality and integrity. • https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf https://hackerone.com/reports/1238162 https://lists.debian.org/debian-lts-announce/2022/10/msg00006.html https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases https://security.gentoo.org/glsa/202401-02 https://security.netapp.com/advisory/ntap-20210923-0001 https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://www.oracle.com/security-alerts/cpuoct2021& • CWE-416: Use After Free •

CVSS: 7.3EPSS: 0%CPEs: 18EXPL: 0

CVE-2021-37695 – Execution of JavaScript code using malformed HTML in ckeditor

https://notcve.org/view.php?id=CVE-2021-37695

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version < 4.16.2. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58 https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW https://lists.fedoraproject.org/archives/list/package-announce%40lists& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 15EXPL: 0

CVE-2021-32809 – Arbitrary HTML injection vulnerability in ckeditor

https://notcve.org/view.php?id=CVE-2021-32809

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It affects all users using the CKEditor 4 plugins listed above at version >= 4.5.2. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.6EPSS: 0%CPEs: 20EXPL: 0

CVE-2021-32808 – Cross-site scripting in ckeditor via abuse of undo functionality

https://notcve.org/view.php?id=CVE-2021-32808

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing JavaScript code. It affects all users using the CKEditor 4 plugins listed above at version >= 4.13.0. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/releases/tag/4.16.2 https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UVOYN2WKDPLKCNILIGEZM236ABQASLGW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAGNWHFIQAVCP537KFFS2A2GDG66J7XD https://www.oracle.com/security& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0

CVE-2021-31799 – rubygem-rdoc: Command injection vulnerability in RDoc

https://notcve.org/view.php?id=CVE-2021-31799

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. En RDoc versiones 3.11 hasta 6.x versiones anteriores a 6.3.1, como se distribuye con Ruby versiones hasta 3.0.1, es posible ejecutar código arbitrario por medio de | y etiquetas en un nombre de archivo An operating system command injection flaw was found in RDoc. Using the rdoc command to generate documentation for a malicious Ruby source code could lead to execution of arbitrary commands with the privileges of the user running rdoc. • https://lists.debian.org/debian-lts-announce/2021/10/msg00009.html https://security-tracker.debian.org/tracker/CVE-2021-31799 https://security.gentoo.org/glsa/202401-05 https://security.netapp.com/advisory/ntap-20210902-0004 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc https://access.redhat.com/security/cve/CVE-2021-31799 https://bugzilla.redhat.com/show_bug.cgi?id=1980132 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •