Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-33195: XSS in RSS widget feed

Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6.

CVE
Open in Source
#xss#vulnerability#web#git
CVE-2023-32325: fix: Remove API and JS urls (#630) · PostHog/posthog-js@67e07eb

PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place.

CVE-2023-33194: Fixed an XSS vulnerability · craftcms/cms@9d0cd0b

Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6.

CVE-2023-33196: Stored XSS in review volumne

Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.

CVE-2023-33197: Release 4.4.6 · craftcms/cms

Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.

GHSA-7x94-jx75-3gh6: Stored cross site scripting in Craft CMS

A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. This issue was patched in version 4.4.12.

CVE-2023-20868: VMSA-2023-0010

NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. A remote attacker can inject HTML or JavaScript to redirect to malicious pages.

CVE-2023-33780: XSS Vulnerability in news endpoint

A stored cross-site scripting (XSS) vulnerability in TFDi Design smartCARS 3 v0.7.0 and below allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the body of news article.

CVE-2023-2817: Fixed XSS vulnerabilities · craftcms/cms@7655e10

A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.

CVE-2023-33394: skycaiji-v2.5.4 has a backend xss vulnerability

skycaiji v2.5.4 is vulnerable to Cross Site Scripting (XSS). Attackers can achieve backend XSS by deploying malicious JSON data.