#xss

### Summary The built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this code in OpenRefine itself is for an attacker to somehow convince a victim to import a malicious file, as in GHSA-m88m-crr9-jvqq, which may be difficult. However, out-of-tree extensions may add their own calls to `respondWithErrorPage`. ### Details The `Command.respondWithErrorPage` (through `HttpUtilities.respondWithErrorPage`) function renders the Velocity template `error.vt`, which contains the `$message` and `$stack` variables, which are included in the response as-is: https://github.com/OpenRefine/OpenRefine/blob/master/main/webapp/modules/core/error.vt#L52-L53 However, the message can contain HTML tags, which would then be interpreted by the browser. A mitigation would be to esc...

### Summary The `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker must know a valid project ID of a project that contains at least one row. ### Details The malicious form sets `contentType` to `text/html` (ExportRowsCommand.java line 101) and `preview` to `true` (line 107). This combination causes the browser to treat what OpenRefine thinks of as an export preview as a regular webpage. It would be safer if the `export-rows` command did not allow overriding the Content-Type header at all, instead relying on the exporter to provide the correct Content-Type. It could a...

### Summary The `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. ### Details The `state` GET parameter is read from: * extensions/gdata/module/MOD-INF/controller.js:105 It is used (as `$state`) in: * extensions/gdata/module/authorized.vt:43 There is no check that the state has the expected format (base64-encoded JSON with values like "openrefine123..." and "cb123..."), or that the page was indeed opened as part of the authorization flow. ### PoC Navigate to: http://localhost:3333/extension/gdata/authorized?state=%22,alert(1),%22&error= An alert box pops up. The gdata extension needs to be present. No other configuration is needed; specifically, it is not required to have a client ID or client...

XSS vulnerability in Edit Email Form Settings Feature to baserCMS. ### Target baserCMS 5.1.1 and earlier versions ### Vulnerability Malicious code may be executed in Edit Email Form Settings feature. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_00876083 ### Credits Ayato Shitomi＠Fore-Z

XSS vulnerability in Blog posts feature to baserCMS. ### Target baserCMS 5.1.1 and earlier versions ### Vulnerability Malicious code may be executed in Blog posts feature. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_00876083 ### Credits Ayato Shitomi＠Fore-Z

XSS vulnerability in HTTP 400 Bad Request to baserCMS. ### Target baserCMS 5.1.1 and earlier versions ### Vulnerability Malicious code may be executed in HTTP 400 Bad Request. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_00876083

XSS vulnerability in Blog posts and Contents list Feature to baserCMS. ### Target baserCMS 5.1.1 and earlier versions ### Vulnerability Malicious code may be executed in Blog posts and Contents list feature. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_00876083 ### Credits Kyohei Ota@LEON TECHNOLOGY,Inc.

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking. Users are recommended to upgrade to version 3.0.9, which fixes this issue.

Roundcube Webmail versions prior to 1.5.7 and 1.6.x prior to 1.6.7 allows cross site scripting via SVG animate attributes.

A cross site scripting vulnerability in pfsense version 2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.