#xss

### Summary `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure. ### Details The `new URL` constructor is used to parse the final path. This constructor can be passed a relative scheme or path in order to change the host the request is sent to. This constructor is also very tolerant of poorly formatted URLs. As a result we can pass a path prefixed with the string `http:`. This has the effect of changing the scheme to HTTP. We can then subsequently pass a new host, for example `http:127.0.0.1:8080`. This would allow us to send requests to a local server. ### PoC Make a request to `/api/_nuxt_icon/http:example.com`, observe the data returned has been fetched from a different resource than intended. I typically try to find an example within N...

### Summary The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies. ### Details The function first tests to see if the specified [URL has a protocol](https://github.com/nuxt/nuxt/blob/fa9d43753d25fc2e8c3107f194b2bab6d4ebcb9a/packages/nuxt/src/app/composables/router.ts#L142). This uses the [unjs/ufo](https://github.com/unjs/ufo) package for URL parsing. This function works effectively, and returns true for a `javascript:` protocol. After this, the URL is parsed using the [`parseURL`](https://github.com/unjs/ufo/blob/e970686b2acae972136f478732450f6a2f1ab5e5/src/parse.ts#L47) function. This function will refuse to parse poorly formatted URLs. Parsing `javascript:alert(1)` returns null/"" for all values. Next, the protocol of the URL is then checked using the [`isScriptProtocol`](https://github.com/unjs/ufo/blob/e970686b2acae972136f478732450f6a2f1ab5e5/src/utils.ts#...

Microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\tags\add_tagging_tagged.php.

e107 version 2.3.3 suffers from a cross site scripting vulnerability.

### Summary Reposilite v3.5.10 is affected by Stored Cross-Site Scripting (XSS) when displaying artifact's content in the browser. ### Details As a Maven repository manager, Reposilite provides the ability to view the artifacts content in the browser, as well as perform administrative tasks via API. The problem lies in the fact that the artifact's content is served via the same origin (protocol/host/port) as the Admin UI. If the artifact contains HTML content with javascript inside, the javascript is executed within the same origin. Therefore, if an authenticated user is viewing the artifacts content, the javascript inside can access the browser's local storage where the user's password (aka 'token-secret') is stored. It is especially dangerous in scenarios where Reposilite is configured to mirror third party repositories, like the Maven Central Repository. Since anyone can publish an artifact to Maven Central under its own name, such malicious packages can be used to attack the Repos...

Tourism Management System version 2.0 suffers from a cross site scripting vulnerability.

Leads Manager Tool suffers from remote SQL injection and cross site scripting vulnerabilities.

Readymade Unilevel Ecommerce MLM suffers from remote blind SQL injection and cross site scripting vulnerabilities. These issues affected the version released as late as March 15, 2024.

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator hav the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 1.8 with a vector of CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Thanks fhAnso for reporting.

### Impact The file upload widget is vulnerable to XSS payloads in filenames. Access permission to upload files is required. As such, in most cases only authenticated editors and administrators will have the required permission. It is not persistent, i.e. the payload is only executed during the upload. In effect, an attacker will have to trick an editor/administrator into uploading a strangely named file. The fix ensures XSS is escaped. ### Patches See "Patched versions". Commit: https://github.com/ezsystems/ezplatform-admin-ui/commit/7a9f991b200fa5a03d49cd07f50577c8bc90a30b ### Workarounds None. ### References - https://developers.ibexa.co/security-advisories/ibexa-sa-2024-004-dom-based-xss-in-file-upload - https://github.com/ezsystems/ezplatform-admin-ui/commit/7a9f991b200fa5a03d49cd07f50577c8bc90a30b - https://github.com/ibexa/admin-ui/security/advisories/GHSA-qm44-wjm2-pr59 ### Credit This vulnerability was discovered and reported to Ibexa by Alec Romano: https://github.com/4rd...