Vulnerabilities > Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-02-01 | CVE-2018-16491 | Injection vulnerability in Dreamerslab Node.Extend A prototype pollution vulnerability was found in node.extend <1.1.7, ~<2.0.1 that allows an attacker to inject arbitrary properties onto Object.prototype. | 9.8 |
| 2019-02-01 | CVE-2018-16490 | Injection vulnerability in Mpath Project Mpath A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype. | 7.5 |
| 2019-02-01 | CVE-2018-16489 | Injection vulnerability in Just-Extend Project Just-Extend A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions. | 9.8 |
| 2019-02-01 | CVE-2018-16486 | Injection vulnerability in Defaults-Deep Project Defaults-Deep A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype. | 9.8 |
| 2019-01-25 | CVE-2019-6802 | Injection vulnerability in Python Pypiserver CRLF Injection in pypiserver 1.2.5 and below allows attackers to set arbitrary HTTP headers and possibly conduct XSS attacks via a %0d%0a in a URI. | 6.1 |
| 2019-01-09 | CVE-2019-3498 | Injection vulnerability in multiple products In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. | 6.5 |
| 2018-12-20 | CVE-2018-16627 | Injection vulnerability in Getkirby Kirby 2.5.12 panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature. | 6.1 |
| 2018-12-20 | CVE-2018-1000854 | Injection vulnerability in Esigate esigate.org esigate version 5.2 and earlier contains a CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in ESI directive with user specified XSLT that can result in Remote Code Execution. | 9.8 |
| 2018-12-17 | CVE-2018-18250 | Injection vulnerability in Icinga web 2 Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item. | 7.5 |
| 2018-12-17 | CVE-2018-20167 | Injection vulnerability in Enlightenment Terminology Terminology before 1.3.1 allows Remote Code Execution because popmedia is mishandled, as demonstrated by an unsafe "cat README.md" command when \e}pn is used. | 7.8 |