Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-4vvj-4cpr-p986: Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS

Hi, Webpack developer team! ### Summary We discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code. ### Details #### Backgrounds DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) livin...

ghsa
#xss#vulnerability#web#google#js#git#java#perl#pdf#ssh
GHSA-22xm-w7r2-834q: FastAPI Admin cross-site scripting (XSS) vulnerability in the Create Product function

A cross-site scripting (XSS) vulnerability in the Create Product function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter.

GHSA-grqx-r2q2-j425: FastAPI Admin Cross-site Scripting vulnerability in the Config-Create function

A cross-site scripting (XSS) vulnerability in the Config-Create function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter.

Calibre Web 0.6.21 Cross Site Scripting

Calibre Web version 0.6.21 suffers from a persistent cross site scripting vulnerability.

Helpdeskz 2.0.2 Cross Site Scripting

Helpdeskz version 2.0.2 suffers from a persistent cross site scripting vulnerability.

Jobs Finder System 1.0 Cross Site Scripting

Jobs Finder System version 1.0 suffers from a cross site scripting vulnerability.