software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
CVE-2020-11022: XSS in jQuery via htmlPrefilter
CVE-2020-11022 lets attacker-controlled HTML bypass sanitization via jQuery's htmlPrefilter, enabling XSS in versions before 3.5.0. Impact, timeline, and fixes.
CVE-2020-11023: XSS in jQuery option/script tag handling
CVE-2020-11023 let untrusted HTML with option tags bypass sanitization in jQuery's DOM methods, enabling XSS. Here's the fix, timeline, and remediation.
CVE-2015-9251: jQuery cross-domain AJAX XSS
CVE-2015-9251 lets attackers exploit jQuery's cross-domain AJAX handling to run arbitrary script. Learn affected versions, risk context, and fixes.
CVE-2022-21681: Second ReDoS flaw in marked
CVE-2022-21681 is a ReDoS flaw in marked's inline tokenizer that lets crafted Markdown hang parsing. What's affected, severity, and how to remediate.
CVE-2024-37890: Denial of service in ws WebSocket library
CVE-2024-37890 lets attackers crash Node.js servers running vulnerable ws WebSocket versions with a single crafted request. Here's what's affected and how to fix it.
CVE-2021-3807: ReDoS in ansi-regex
A ReDoS flaw in the widely-depended-on ansi-regex npm package could hang Node.js processes on crafted input. Here's what's affected and how to fix it.
CVE-2022-24999: Prototype pollution / DoS in qs querystri...
CVE-2022-24999 exposes a prototype pollution and denial-of-service flaw in the qs querystring library used across the Node.js ecosystem.
CVE-2023-37466: Remote code execution via vm2 sandbox escape
A critical vm2 sandbox escape (CVE-2023-37466) lets untrusted JavaScript break out to achieve remote code execution on the host Node.js process.
CVE-2019-19844: Django password reset token weakness
CVE-2019-19844 let attackers hijack Django accounts by exploiting how case-sensitive email matching broke the base36 password reset token flow.
CVE-2021-33203: Path traversal via Django admindocs
CVE-2021-33203 let authenticated Django staff users traverse outside admindocs' template directory. Here's what's affected, real severity context, and how to remediate.
CVE-2018-6188: User enumeration in Django password reset
A timing difference in Django password resets let attackers confirm valid emails via response latency. CVE-2018-6188 impact, fix versions, and remediation.
CVE-2023-32681: requests leaks Proxy-Authorization on red...
A malicious proxy could capture Proxy-Authorization credentials from Python's requests library when redirects crossed to HTTPS, before v2.31.0.