CVSS: 6.5EPSS: 0%CPEs: 22EXPL: 0CVE-2021-43797 – HTTP fails to validate against control chars in header names which may lead to HTTP request smuggling
https://notcve.org/view.php?id=CVE-2021-43797
09 Dec 2021 — Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used ... • https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 8.2EPSS: 0%CPEs: 21EXPL: 0CVE-2021-41165 – HTML comments vulnerability allowing to execute JavaScript code
https://notcve.org/view.php?id=CVE-2021-41165
17 Nov 2021 — CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 0%CPEs: 23EXPL: 0CVE-2021-41164 – Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML
https://notcve.org/view.php?id=CVE-2021-41164
17 Nov 2021 — CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 33%CPEs: 72EXPL: 1CVE-2021-41182 – XSS in the `altField` option of the Datepicker widget
https://notcve.org/view.php?id=CVE-2021-41182
26 Oct 2021 — jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources. jQuery-UI es la biblioteca oficial de interfaz de usuario de jQuery. • https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 3%CPEs: 54EXPL: 1CVE-2021-41183 – XSS in `*Text` options of the Datepicker widget
https://notcve.org/view.php?id=CVE-2021-41183
26 Oct 2021 — jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. jQuery-UI es la biblioteca oficial de interfaz de usuario de jQuery. • https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 40%CPEs: 53EXPL: 1CVE-2021-41184 – XSS in the `of` option of the `.position()` util
https://notcve.org/view.php?id=CVE-2021-41184
26 Oct 2021 — jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. jQuery-UI es la biblioteca oficial de interfaz de usuario de jQuery. • https://github.com/gabrielolivra/Exploit-Medium-CVE-2021-41184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-35609
https://notcve.org/view.php?id=CVE-2021-35609
20 Oct 2021 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: SQR). Supported versions that are affected are 8.57, 8.58 and 8.59. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.5 (Confidential... • https://www.oracle.com/security-alerts/cpuoct2021.html •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-35595
https://notcve.org/view.php?id=CVE-2021-35595
20 Oct 2021 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Business Interlink). Supported versions that are affected are 8.57, 8.58 and 8.59. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact addit... • https://www.oracle.com/security-alerts/cpuoct2021.html •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-35568
https://notcve.org/view.php?id=CVE-2021-35568
20 Oct 2021 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Rich Text Editor). Supported versions that are affected are 8.57, 8.58 and 8.59. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additio... • https://www.oracle.com/security-alerts/cpuoct2021.html •
CVSS: 7.5EPSS: 0%CPEs: 38EXPL: 0CVE-2021-37136 – netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
https://notcve.org/view.php?id=CVE-2021-37136
19 Oct 2021 — The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack La función Bzip2 decompression decoder no permite establecer restricciones de tamaño en los datos de salida descomprimidos (lo que afecta al tamaño de asignación usado durante la descompresión). Todos los usuarios de Bzip2Decoder están ... • https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv • CWE-400: Uncontrolled Resource Consumption •