Page 6 of 85 results (0.018 seconds)

CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0

Access Bypass vulnerability in Drupal Core allows for an attacker to leverage the way that HTML is rendered for affected forms in order to exploit the vulnerability. This issue affects: Drupal Core 8.8.x versions prior to 8.8.10; 8.9.x versions prior to 8.9.6; 9.0.x versions prior to 9.0.6. Una vulnerabilidad de Omisión de Acceso en Drupal Core permite que un atacante aproveche la forma en que es renderizado el HTML de los formularios afectados para explotar la vulnerabilidad. Este problema afecta a: Drupal Core versiones 8.8.x anteriores a 8.8.10; versiones 8.9.x anteriores a 8.9.6; versiones 9.0.x anteriores a 9.0.6 • https://www.drupal.org/sa-core-2020-009 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.2EPSS: 0%CPEs: 21EXPL: 0

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417 https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2 https://www.drupal.org/sa-core-2021-011 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpujul2022.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.2EPSS: 0%CPEs: 23EXPL: 0

CKEditor4 is an open source WYSIWYG HTML editor. In affected versions a vulnerability has been discovered in the Advanced Content Filter (ACF) module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. • https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-417 https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-pvmx-g8h5-cprj https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VR76VBN5GW5QUBJFHVXRX36UZ6YTCMW6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOZGMCYDB2OKKULFXZKM6V7JJW4ZZHJP https://www.drupal.org/sa-core-2021-011 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/secur • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 53EXPL: 1

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources. jQuery-UI es la biblioteca oficial de interfaz de usuario de jQuery. • https://github.com/gabrielolivra/Exploit-Medium-CVE-2021-41184 https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280 https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327 https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3 https://lists.fedoraproject.org/archives/list • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 54EXPL: 1

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources. jQuery-UI es la biblioteca oficial de interfaz de usuario de jQuery. • https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released https://bugs.jqueryui.com/ticket/15284 https://github.com/jquery/jquery-ui/pull/1953 https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4 https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3 https://list • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •