Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-7h4w-6p98-r3wx: textAngular Cross-site Scripting vulnerability

textAngular is a text editor for Angular.js. Version 1.5.16 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. There are no known patches.

ghsa
#xss#vulnerability#js#git
GHSA-h685-83w4-3ph3: iziModal Cross-site Scripting vulnerability

iziModal is a modal plugin with jQuery. Versions prior to 1.6.1 are vulnerable to cross-site scripting (XSS) when handling untrusted modal titles. An attacker who is able to influence the field `title` when creating a `iziModal` instance is able to supply arbitrary `html` or `javascript` code that will be rendered in the context of a user, potentially leading to `XSS`. Version 1.6.1 contains a patch for this issue

GHSA-vfmp-9999-6wqj: Vditor Cross-site Scripting vulnerability

Vditor is a browser-side Markdown editor. Versions prior to 3.8.7 are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. Version 3.8.7 contains a patch for this issue.

GHSA-mv37-xrmc-hf64: Microweber Cross-site Scripting vulnerability

Microweber is a drag and drop website builder and content management system. Versions 1.2.12 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. A fix was attempted in versions 1.2.9 and 1.2.12, but it is incomplete.

GHSA-6cvf-m58q-h9wf: Answer vulnerable to Cross-site Scripting

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.5.

GHSA-465f-mxxh-grc4: Baremetrics date range picker vulnerable to Cross-site Scripting

The Baremetrics date range picker is a solution for selecting both date ranges and single dates from a single calender view. Versions 1.0.14 and prior are prone to cross-site scripting (XSS) when handling untrusted `placeholder` entries. An attacker who is able to influence the field `placeholder` when creating a `Calendar` instance is able to supply arbitrary `html` or `javascript` that will be rendered in the context of a user leading to XSS. There are no known patches for this issue.

CVE-2021-32857: GHSL-2021-1035: Cross-Site Scripting (XXS) in Cockpit Next - CVE-2021-32857

Cockpit is a content management system that allows addition of content management functionality to any site. In versions 0.12.2 and prior, bad HTML sanitization in `htmleditor.js` may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.

CVE-2021-32858: GHSL-2021-1034: HTML sanitizer bypass leading to XSS in esdoc-publish-html-plugin - CVE-2021-32858

esdoc-publish-html-plugin is a plugin for the document maintenance software ESDoc. TheHTML sanitizer in esdoc-publish-html-plugin 1.1.2 and prior can be bypassed which may lead to cross-site scripting (XSS) issues. There are no known patches for this issue.

CVE-2021-32854: GHSL-2021-1001: Copy-paste XSS in textAngular text editor - CVE-2021-32854

textAngular is a text editor for Angular.js. Version 1.5.16 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. There are no known patches.

CVE-2021-32860: GHSL-2021-1044: Security contact needed · Issue #249 · marcelodolza/iziModal

iziModal is a modal plugin with jQuery. Versions prior to 1.6.1 are vulnerable to cross-site scripting (XSS) when handling untrusted modal titles. An attacker who is able to influence the field `title` when creating a `iziModal` instance is able to supply arbitrary `html` or `javascript` code that will be rendered in the context of a user, potentially leading to `XSS`. Version 1.6.1 contains a patch for this issue