CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

A Cross Site Scripting (XSS) vulnerability exists in DanPros htmly 2.8.1 via the Description field in (1) admin/config, and (2) index.php pages.

Vulnerabilty found in HTMLy v2.8.1 by "HAXSS" a Reinforcement Learning Agent for Cross Site Scripting (XSS) testing.

**Description:**

The "Description" field of the "/admin/config" page of htmly 2.8.1 is subject to a Cross Site Scripting (XSS) vulnerability. This allows malicious users to send an authenticated POST HTTP request to inject JavaScript or HTML.

**Known Payloads:**

*   </body><body onmouseover=alert(1455055833)></body>

**Steps to Reproduce:**

1\. Log into the admin pannel ('/login').

2\. Use the dashboard to navigate to the config page ('/admin/config')

3\. Edit the "Description" field on the page to a malicious payload

![](http://rlsec.xyz/vulns/images/htmly_1.png)

![](http://rlsec.xyz/vulns/images/htmly_2.png)

4\. Save the settings

5\. Navigate to the home page '/' and the vulnerability is shown

![](http://rlsec.xyz/vulns/images/htmly_3.png)

Headline

CVE-2021-42867: CVE-2021-42967: HTMLy 2.8.1 XSS vulnerability

CVE: Latest News