Vulnerabilities > Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-02-01 | CVE-2018-16490 | Injection vulnerability in Mpath Project Mpath A prototype pollution vulnerability was found in module mpath <0.5.1 that allows an attacker to inject arbitrary properties onto Object.prototype. | 5.0 |
| 2019-02-01 | CVE-2018-16489 | Injection vulnerability in Just-Extend Project Just-Extend A prototype pollution vulnerability was found in just-extend <4.0.0 that allows attack to inject properties onto Object.prototype through its functions. | 7.5 |
| 2019-02-01 | CVE-2018-16486 | Injection vulnerability in Defaults-Deep Project Defaults-Deep A prototype pollution vulnerability was found in defaults-deep <=0.2.4 that would allow a malicious user to inject properties onto Object.prototype. | 7.5 |
| 2019-01-09 | CVE-2019-3498 | Injection vulnerability in multiple products In Django 1.11.x before 1.11.18, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, an Improper Neutralization of Special Elements in Output Used by a Downstream Component issue exists in django.views.defaults.page_not_found(), leading to content spoofing (in a 404 error page) if a user fails to recognize that a crafted URL has malicious content. | 6.5 |
| 2018-12-20 | CVE-2018-16627 | Injection vulnerability in Getkirby Kirby 2.5.12 panel/login in Kirby v2.5.12 allows Host header injection via the "forget password" feature. | 5.8 |
| 2018-12-20 | CVE-2018-1000854 | Injection vulnerability in Esigate esigate.org esigate version 5.2 and earlier contains a CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in ESI directive with user specified XSLT that can result in Remote Code Execution. | 7.5 |
| 2018-12-17 | CVE-2018-18250 | Injection vulnerability in Icinga web 2 Icinga Web 2 before 2.6.2 allows parameters that break navigation dashlets, as demonstrated by a single '$' character as the Name of a Navigation item. | 5.0 |
| 2018-12-17 | CVE-2018-20167 | Injection vulnerability in Enlightenment Terminology Terminology before 1.3.1 allows Remote Code Execution because popmedia is mishandled, as demonstrated by an unsafe "cat README.md" command when \e}pn is used. | 6.8 |
| 2018-12-12 | CVE-2018-1474 | Injection vulnerability in IBM Bigfix Platform IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. | 4.3 |
| 2018-12-07 | CVE-2018-1896 | Injection vulnerability in IBM Connections 5.0/5.5/6.0 IBM Connections 5.0, 5.5, and 6.0 is vulnerable to possible host header injection attack that could cause navigation to the attacker's domain. | 3.5 |