Tag
#xss
Hi, Webpack developer team! ### Summary We discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code. ### Details #### Backgrounds DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) livin...
Medicine Tracker System version 1.0 suffers from an ignored default credential vulnerability.
Medical Hub Directory Site version 1.0 suffers from an ignored default credential vulnerability.
Lodging Reservation Management System version 1.0 suffers from an ignored default credential vulnerability.
A cross-site scripting (XSS) vulnerability in the Create Product function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter.
A cross-site scripting (XSS) vulnerability in the Config-Create function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter.
Calibre Web version 0.6.21 suffers from a persistent cross site scripting vulnerability.
Helpdeskz version 2.0.2 suffers from a persistent cross site scripting vulnerability.
Jobs Finder System version 1.0 suffers from a cross site scripting vulnerability.
Human Resource Management System version 2024 version 1.0 suffers from a cross site scripting vulnerability.