#xss

A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the author parameter under the Create/Modify article function.

A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page.

In PEAR HTTP_Request2 before 2.7.0, multiple files in the tests directory, notably tests/_network/getparameters.php and tests/_network/postparameters.php, reflect any GET or POST parameters, leading to XSS.

The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).

BidenCash dumps almost a million stolen credit card records on Russian forum, exposing card numbers, CVVs, and expiry dates in plain text with no cardholder names.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Growatt Equipment: Cloud Applications Vulnerabilities: Cross-site Scripting, Authorization Bypass Through User-Controlled Key, Insufficient Type Distinction, External Control of System or Configuration Setting 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to compromise confidentiality, achieve cross-site scripting, or code execution on affected devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Growatt products are affected: Growatt cloud portal: Versions prior to 3.6.0 3.2 VULNERABILITY OVERVIEW 3.2.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79 An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant. CVE-2025-30511 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has be...

Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary.

### Summary Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of `event.url.searchParams` inside a server `load` function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL. ### Details SvelteKit tracks which parameters in `event.url.searchParams` are read inside server `load` functions. If the application iterates over the these parameters, the `uses.search_params` array included in the boot script (embedded in the server-rendered HTML) will have any search param name included in unsanitized form. `packages/kit/src/runtime/server/utils.js:150` has the `stringify_uses(node)` function which prints these out. ### Reproduction In a `+page.server.js` or `+layout.server.js`: ```js /** @type {import('@sveltejs/kit').Load} */ export function load(event) { const values = {}; for (const key of event.url.searchParams.keys()) { values[key] = event.url.searchParams.get(key); ...

### Summary gorilla/csrf is vulnerable to CSRF via form submission from origins that share a top level domain with the target origin. ### Details gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the `r.URL.Scheme` value. However, this value is never populated for "server" requests [per the Go spec](https://pkg.go.dev/net/http#Request), and so this check does not run in practice. ``` // URL specifies either the URI being requested (for server // requests) or the URL to access (for client requests). // // For server requests, the URL is parsed from the URI // supplied on the Request-Line as stored in RequestURI. For // most requests, fields other than Path and RawQuery will be // empty. (See [RFC 7230, Section 5.3](https://rfc-editor.org/rfc/rfc7230.html#section-5.3)) // // For client r...

### Impact It is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. ### Patches This has been fixed in Formie 2.1.44. Users should ensure they are running at least this version.