Safeguard
Topic

Vulnerabilities

In-depth guides and analysis on vulnerabilities from the Safeguard engineering team.

71 articles

Vulnerabilities

jQuery 3.5.1 Vulnerabilities: What Was Actually Fixed

jQuery 3.5.1 closed a second cross-site scripting hole in the htmlPrefilter regex that 3.5.0 had only partially patched — here's exactly what changed and why old jQuery bundles still trip scanners.

Mar 14, 20245 min read
Vulnerabilities

XSS Attack Explained: How Cross-Site Scripting Works

An XSS attack lets an attacker run their JavaScript in your users' browsers. Here is how cross-site scripting works, the three types, and how to stop it.

Mar 12, 20247 min read
Vulnerabilities

XXE Attacks Explained: XML External Entity Injection

How an XXE attack turns a trusting XML parser into a file-reading, request-forging liability, with a concrete Java example and the parser flags that shut it down.

Mar 12, 20246 min read
Vulnerabilities

Apache Struts 2 Vulnerabilities: A History Worth Knowing

Apache Struts 2 has produced some of the most damaging vulnerabilities in web application history, including the flaw behind the Equifax breach. Here's what happened and why it keeps happening.

Mar 11, 20245 min read
Vulnerabilities

CVE-2023-4807: The OpenSSL POLY1305 Flaw on Windows

A cryptographic MAC that silently trashes CPU registers: why CVE-2023-4807 only bites Windows builds of OpenSSL, what it can actually do, and which releases fix it.

Feb 27, 20245 min read
Vulnerabilities

jQuery 1.10.2 Vulnerabilities: Should You Still Worry?

jQuery 1.10.2, released in 2013, predates the fixes for three well-documented CVEs — CVE-2015-9251, CVE-2019-11358, and CVE-2020-11022/11023 — which means yes, it's genuinely still worth worrying about.

Feb 20, 20246 min read
Vulnerabilities

Nginx 1.20.1 Vulnerabilities: What to Patch

Nginx 1.20.1 fixed a real, exploitable DNS resolver bug — if you're still running an older 1.20.x or 1.19.x build, here's what the fix addressed and why it matters.

Feb 19, 20244 min read
Vulnerabilities

Notable CVEs of 2022: A Practitioner's Roundup

CVE-2022-31160 and a run of recursion-based denial-of-service bugs made 2022 a year defined less by exotic exploits and more by parsers that never expected deeply nested input.

Feb 14, 20245 min read
Vulnerabilities

The Spring Shell Vulnerability: What Happened

Spring4Shell (CVE-2022-22965) let attackers achieve remote code execution through Spring's data-binding mechanism — here's what made it exploitable and what actually needed patching.

Jan 30, 20244 min read
Vulnerabilities

Notable CVEs of 2023: A Practitioner's Roundup

From an OpenSSL IV-truncation flaw to a critical Babel code-execution bug, 2023's CVE crop is a good reminder that severity and blast radius don't always line up.

Jan 30, 20246 min read
Vulnerabilities

libwebp and CVE-2023-4863: The Full Story

A heap buffer overflow in libwebp's lossless decoder, exploited in the wild before a patch existed, turned out to affect far more software than the browser it was first reported in.

Jan 24, 20245 min read
Vulnerabilities (Page 6) — Supply Chain Security Blog | Safeguard