#xss

### Impact When importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview of what was to be imported. As imports are undertaking primarily by users who have themselves exported the form from one environment to another, and would require direct manipulation of the JSON export, this is marked as moderate. This vulnerability will not occur unless someone deliberately tampers with the export. ### Patches This has been fixed in Formie 2.1.44. Users should ensure they are running at least this version.

### Impact Affected versions of yiisoft/yii are vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. ### Patches Upgrade yiisoft/yii to version 1.1.31 or higher. ### References - [Git commit](https://github.com/yiisoft/yii/commit/d386d737861c9014269b7ed8c36c65eadb387368) If you have any questions or comments about this advisory, [contact us through security form](https://www.yiiframework.com/security).

### Impact A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this attack. ### Reported by James Nicoll from Fujitsu Cyber ### References - https://www.silverstripe.org/download/security-releases/cve-2025-30148

An elemental block can include an XSS payload, which can be executed when viewing the "Content blocks in use" report. The vulnerability is specific to that report and is a result of failure to cast input prior to including it in the grid field. ### References - https://www.silverstripe.org/download/security-releases/CVE-2025-25197

### Summary In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. ### Patches This issue is patched in 2.16.1 and 3.0.0-alpha.5. ### PoC https://gist.github.com/linhnph05/03d677b183636af206ff781bdd19701a ### Impact 1. Redirect user to another phishing site 2. Make request to another endpoint of the application based on user's cookie 3. Steal user's cookie

## Summary Due to a weak Content Security Policy on the `/proxy/*` route, an attacker can bypass the CSP of the media proxy and execute cross-site scripting when opening external images in a new tab/window. ## Impact A malicious feed added to Miniflux can execute arbitrary JavaScript in the user's browser when opening external resources, such as proxified images, in a new tab or window. ## Mitigation The CSP for the media proxy has been changed from `default-src 'self'` to `default-src 'none'; form-action 'none'; sandbox;`. Upgrade to Miniflux >= 2.2.7 ## Credit [RyotaK](https://ryotak.net) (GMO Flatt Security Inc.) with [takumi-san.ai](https://takumi-san.ai)

All versions of the package react-draft-wysiwyg are vulnerable to Cross-site Scripting (XSS) via the Embedded button which will then result in saving the payload in the <iframe> tag.

pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: TRMTracker Vulnerabilities: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'), Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute limited remote commands, poison web-cache, or disclose and modify sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products are affected: TRMTracker: Versions 6.2.04 and prior TRMTracker: Versions 6.3.0 and 6.3.01 3.2 VULNERABILITY OVERVIEW 3.2.1 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') CWE-90 The TRMTracker web application is vulnerable to LDAP injection attack potentially allowing an att...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: B&R Equipment: APROL Vulnerabilities: Inclusion of Functionality from Untrusted Control Sphere, Incomplete Filtering of Special Elements, Improper Control of Generation of Code ('Code Injection'), Improper Handling of Insufficient Permissions or Privileges , Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function, Exposure of Sensitive System Information to an Unauthorized Control Sphere, Exposure of Data Element to Wrong Session, Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), External Control of File Name or Path, Incorrect Permission Assignment for Critical Resource 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute commands, elevate privileges, gather sensitive information, or alter the product. 3. TECHNICAL DETA...