#xss

### Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded and Content-Security-Policy definition to prevent cross-site-scripting attacks. The upload validation checks were not 100% robust which left the possibility to circumvent them and upload a potentially dangerous file which allows execution of arbitrary JavaScript in the browser. Additionally we've discovered that Nginx's `proxy_pass` directive will strip some headers negating protections built into Kiwi TCMS when served behind a reverse proxy. ### Patches - Improved file upload validation code - Updated Nginx reverse proxy configuration for ***.tenant.kiwitcms.org** ### Workarounds If serving Kiwi TCMS behind a reverse proxy make sure that additional header values are still passed to the client browser. If they aren't redefine them inside the proxy configuration. S...

## Impact 1. A compromised instance with shared folders could sync malicious files which contain arbitrary HTML and JavaScript in the name. If the owner of another device looks over the shared folder settings and moves the mouse over the latest sync, a script could be executed to change settings for shared folders or add devices automatically. 2. Adding a new device with a malicious name could embed HTML or JavaScript inside parts of the page. ## Risk As long as trusted devices are used, the risk is low. Additionally, the web GUI is not used that often in daily use which reduces the likelihood of exploitation. ## Details ### 1. Field "Latest Change" * Open the web GUI at [http://127.0.0.1:8384/](http://127.0.0.1:8384/). * Create/Delete a file named ```<img src=a onerror=alert(123)>``` and sync it to the other instance. * Move your mouse over the latest change to trigger the tooltip. <img width="834" alt="latest-change" src="https://user-images.githubusercontent.com/9484134/2050...

A security defect in Foundry's Comments functionality resulted in the retrieval of attachments to comments not being gated by additional authorization checks. This could enable an authenticated user to inject a prior discovered attachment UUID into other arbitrary comments to discover it's content. This defect was fixed in Foundry Comments 2.249.0, and a patch was rolled out to affected Foundry environments. No further intervention is required at this time.

### Summary Some avo fields are vulnerable to XSS when rendering html based content. ### Details During the analysis of the web application, a rendered field was discovered that did not filter JS / HTML tags in a safe way and can be abused to execute js code on a client side. The trix field uses the trix editor in the backend to edit rich text data which basically operates with html tags. To display the stored data in a rendered view, the HasHTMLAttributes concern is used. This can be exploited by an attacker to store javascript code in any trix field by intercepting the request and modifying the post data, as the trix editor does not allow adding custom html or js tags on the frontend. ### PoC  _Adding javascript in the post request which is used when editing a "post" resource (body is declared as a trix field)_ ![image](https://user-images.githubusercontent.com/26464774/2...

A vulnerability classified as problematic was found in Arborator Server. This vulnerability affects the function start of the file project.cgi. The manipulation of the argument project leads to denial of service. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is identified as cdbdbcbd491db65e9d697ab4365605fdfab1a604. It is recommended to apply a patch to fix this issue. VDB-230662 is the identifier assigned to this vulnerability.

A vulnerability, which was classified as problematic, was found in Gravity Forms DPS PxPay Plugin up to 1.4.2 on WordPress. Affected is an unknown function. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.4.3 is able to address this issue. The name of the patch is 5966a5e6343e3d5610bdfa126a5cfbae95e629b6. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230664.

** UNSUPPPORTED WHEN ASSIGNED ** ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Fuzzy SWMP. It has been rated as problematic. This issue affects some unknown processing of the file swmp.php of the component GET Parameter Handler. The manipulation of the argument theme leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The identifier of the patch is 792bcab637cb8c3bd251d8fc8771512c5329a93e. It is recommended to apply a patch to fix this issue. The identifier VDB-230669 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

### Impact Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in the Rancher UI. Cross-Site scripting allows a malicious user to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims. This could result in a user with write access to the affected areas being able to act on behalf of an administrator, once an administrator opens the affected web page. The affected areas include the Projects/Namespaces and Auth Provider sections. The attacker needs to be authenticated and have write access to those features in order to exploit the vulnerabilities. Some of the permissions (roles) required are: - Project Owner. - Restricted Admin. - Configure Authentication. - Administrator. - Custom RBAC Role that provides write access on Projects or External Authentication Providers. For users that suspect this vulnerability may have t...

### Impact #### Description: JStachio fails to escape single quotes `'` in HTML, allowing an attacker to inject malicious code. #### Reproduction Steps: Use the following template code: ```html <div attr='{{value}}'></div> ``` Set the value variable to `' onblur='alert(1)`. ```java public class Escaping { public static void main(String[] args) { Model model = new Model("' onblur='alert(1)"); String result = AttributeTemplate.of().execute(model); System.out.println(result); } @JStache(template = "<div attr='{{value}}'></div>", name="AttributeTemplate") @JStacheConfig(contentType= Html.class) public static class Model { public final String value; public Model(String value) { this.value = value; } public String getValue() { return value; } } } ``` Expected Result: The resulting output should have properly escaped the single quotes and not execute the inject...

Avo is an open source ruby on rails admin panel creation framework. In affected versions some avo fields are vulnerable to Cross Site Scripting (XSS) when rendering html based content. Attackers do need form edit privilege in order to successfully exploit this vulnerability, but the results are stored and no specific timing is required. This issue has been addressed in commit `7891c01e` which is expected to be included in the next release of avo. Users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation.