Vulnerabilities (CVE)

Filtered by vendor Dart Subscribe
Total 13 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-3095 2 Dart, Flutter 2 Dart Software Development Kit, Flutter 2024-11-21 N/A 9.8 CRITICAL
The implementation of backslash parsing in the Dart URI class for versions prior to 2.18 and Flutter versions prior to 3.30 differs from the WhatWG URL standards. Dart uses the RFC 3986 syntax, which creates incompatibilities with the '\' characters in URIs, which can lead to auth bypass in webapps interpreting URIs. We recommend updating Dart or Flutter to mitigate the issue.
CVE-2022-0451 1 Dart 1 Dart Software Development Kit 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
Dart SDK contains the HTTPClient in dart:io library whcih includes authorization headers when handling cross origin redirects. These headers may be explicitly set and contain sensitive information. By default, HttpClient handles redirection logic. If a request is sent to example.com with authorization header and it redirects to an attackers site, they might not expect attacker site to receive authorization header. We recommend updating the Dart SDK to version 2.16.0 or beyond.
CVE-2021-22568 1 Dart 1 Dart Software Development Kit 2024-11-21 6.0 MEDIUM 8.8 HIGH
When using the dart pub publish command to publish a package to a third-party package server, the request would be authenticated with an oauth2 access_token that is valid for publishing on pub.dev. Using these obtained credentials, an attacker can impersonate the user on pub.dev. We recommend upgrading past https://github.com/dart-lang/sdk/commit/d787e78d21e12ec1ef712d229940b1172aafcdf8 or beyond version 2.15.0
CVE-2021-22567 1 Dart 1 Dart Software Development Kit 2024-11-21 3.5 LOW 4.6 MEDIUM
Bidirectional Unicode text can be interpreted and compiled differently than how it appears in editors which can be exploited to get nefarious code passed a code review by appearing benign. An attacker could embed a source that is invisible to a code reviewer that modifies the behavior of a program in unexpected ways.
CVE-2021-22540 1 Dart 1 Dart Software Development Kit 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2020-8923 1 Dart 1 Dart Software Development Kit 2024-11-21 4.3 MEDIUM 5.4 MEDIUM
An improper HTML sanitization in Dart versions up to and including 2.7.1 and dev versions 2.8.0-dev.16.0, allows an attacker leveraging DOM Clobbering techniques to skip the sanitization and inject custom html/javascript (XSS). Mitigation: update your Dart SDK to 2.7.2, and 2.8.0-dev.17.0 for the dev version. If you cannot update, we recommend you review the way you use the affected APIs, and pay special attention to cases where user-provided data is used to populate DOM nodes. Consider using Element.innerText or Node.text to populate DOM elements.
CVE-2020-35669 1 Dart 1 Http 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request.
CVE-2014-125098 1 Dart 1 Http Server 2024-11-21 5.0 MEDIUM 4.3 MEDIUM
A vulnerability was found in Dart http_server up to 0.9.5 and classified as problematic. Affected by this issue is the function VirtualDirectory of the file lib/src/virtual_directory.dart of the component Directory Listing Handler. The manipulation of the argument request.uri.path leads to cross site scripting. The attack may be launched remotely. Upgrading to version 0.9.6 is able to address this issue. The name of the patch is 27c1cbd8125bb0369e675eb72e48218496e48ffb. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-225356.
CVE-2012-5389 1 Dart 1 Powertcp Webserver For Activex 2024-11-21 5.0 MEDIUM 7.5 HIGH
NULL Pointer Dereference in PowerTCP WebServer for ActiveX 1.9.2 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted HTTP request.
CVE-2012-3819 1 Dart 1 Powertcp Activex 2024-11-21 5.0 MEDIUM N/A
Stack consumption vulnerability in dartwebserver.dll 1.9 and earlier, as used in Dart PowerTCP WebServer for ActiveX and other products, allows remote attackers to cause a denial of service (daemon crash) via a long request.
CVE-2008-4652 1 Dart 1 Powertcp Ftp For Activex 2024-11-21 9.3 HIGH N/A
Buffer overflow in the ActiveX control (DartFtp.dll) in Dart Communications PowerTCP FTP for ActiveX 2.0.2 0 allows remote attackers to execute arbitrary code via a long SecretKey property.
CVE-2007-2856 2 Dart, Microsoft 2 Powertcp Zip Compression, Internet Explorer 2024-11-21 9.3 HIGH N/A
Buffer overflow in the Dart Communications PowerTCP ZIP Compression ActiveX control in DartZip.dll 1.8.5.3, when Internet Explorer 6 is used, allows user-assisted remote attackers to execute arbitrary code via a long first argument to the QuickZip function, a related issue to CVE-2007-2855.
CVE-2007-2855 1 Dart 1 Dart Ziplite Compression 2024-11-21 9.3 HIGH N/A
Buffer overflow in a certain ActiveX control in DartZipLite.dll 1.8.5.3 in Dart ZipLite Compression for ActiveX allows user-assisted remote attackers to execute arbitrary code via a long first argument to the QuickZip function, a related issue to CVE-2007-2856.