Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-chj5-8wxj-rxg8: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field.

ghsa
Open in Source
#xss#git
GHSA-qjmx-q5m4-xqf5: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field.

GHSA-3g79-j8hq-r4xv: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field.

GHSA-mfp5-vh58-3j3r: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number.

GHSA-gx82-jm5q-gfw2: Cross-site Scripting in OpenCRX

OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field.

CVE-2023-44796: Fixed issue [security] #19099: XSS vulnerability caused by themeOptions/importManifest by Shnoulle · Pull Request #3483 · LimeSurvey/LimeSurvey

Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component.

GHSA-8phr-637g-pxrg: LibreNMS Cross-site Scripting at Device groups Deletion feature

### Summary XSS attacks occurs when application is not sanitising inputs properly and rendering the code from user input to browser which could allow an attacker to execute malicious javascript code. ### PoC 1. Login 2. Create a device group in /device-groups 3. Name it as `"><img src=x onerror=alert(1);>` 4. save it 5. Go to services and create a service template and add that device group into that and save it 6. After that go back to device groups and delete that device, you will see XSS payload popup in message <img width="1043" alt="Screenshot 2023-11-08 at 9 15 56 PM" src="https://user-images.githubusercontent.com/31764504/281489434-9beaebd6-b9ce-4098-a8e0-d67b185062b5.png"> ### Vulnerable code: https://github.com/librenms/librenms/blob/63eeeb71722237d1461a37bb6da99fda25e02c91/app/Http/Controllers/DeviceGroupController.php#L173C21-L173C21 Line 173 is not sanitizing device name properly <img width="793" alt="Screenshot 2023-11-08 at 9 26 14 PM" src="https://user-images.githubus...

CVE-2023-48295: Cross-site Scripting at Device groups Deletion feature - [librenms/app/Http/Controllers/DeviceGroupController.php]

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. Affected versions are subject to a cross site scripting (XSS) vulnerability in the device group popups. This issue has been addressed in commit `faf66035ea` which has been included in release version 23.11.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2020-11448: Access control in the Home Hub modems : What is Access control

An issue was discovered on Bell HomeHub 3000 SG48222070 devices. There is XSS related to the email field and the login page.

GHSA-36fr-3wg8-q5v8: Concrete CMS Cross-site Scripting vulnerability

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.