Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2015-10079: Fix JS injection exploit · juju2143/walrusirc@45fd885

A vulnerability was found in juju2143 WalrusIRC 0.0.2. It has been rated as problematic. This issue affects the function parseLinks of the file public/parser.js. The manipulation of the argument text leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 0.0.3 is able to address this issue. The name of the patch is 45fd885895ae13e8d9b3a71e89d59768914f60af. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220751.

CVE
Open in Source
#xss#vulnerability#js
GHSA-6p89-3p7c-qrhv: Cross-site scripting in CKEditor5

CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget.

CVE-2023-25240: Bypassing SameSite cookie restrictions | Web Security Academy

An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code.

CVE-2023-25572: Release 4.7.6 · marmelab/react-admin

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `<RichTextField>` are affected. `<RichTextField>` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn't sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `<RichTextField>` by a custom field doing sanitization by hand.

CVE-2023-24648: CVE-nu11secur1ty/vendors/zippy/zstore-6.6.0 at main · nu11secur1ty/CVE-nu11secur1ty

Zstore v6.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /index.php.

CVE-2023-24086: CVE-nu11secur1ty/vendors/slims.web.id/SLIMS-9.5.2 at main · nu11secur1ty/CVE-nu11secur1ty

SLIMS v9.5.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /customs/loan_by_class.php?reportView.

CVE-2022-4905: vulnerability fix · udx/wp-stateless@6aee7ae

A vulnerability was found in UDX Stateless Media Plugin 3.1.1. It has been declared as problematic. This vulnerability affects the function setup_wizard_interface of the file lib/classes/class-settings.php. The manipulation of the argument settings leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 3.2.0 is able to address this issue. The name of the patch is 6aee7ae0b0beeb2232ce6e1c82aa7e2041ae151a. It is recommended to upgrade the affected component. VDB-220750 is the identifier assigned to this vulnerability.

CVE-2022-48110: CKSource CKEditor5 35.4.0 Cross Site Scripting ≈ Packet Storm

CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget.

CVE-2022-45285: Vsourz-Digital/AdvancedContactForm_CF7_DB_XSS.txt at main · IthacaLabs/Vsourz-Digital

Vsourz Digital Advanced Contact form 7 DB Versions 1.7.2 and 1.9.1 is vulnerable to Cross Site Scripting (XSS).