#xss

### Summary A stored cross-site scripting vulnerability exists within the Formula virtual cell comments functionality. ### Details The nc-gui/components/virtual-cell/Formula.vue displays a v-html tag with the value of "urls" whose contents are processed by the function replaceUrlsWithLink(). This function recognizes the pattern URI::(XXX) and creates a hyperlink tag <a> with href=XXX. However, it leaves all the other contents outside of the pattern URI::(XXX) unchanged, which makes the evil users can create a malicious table with a formula field whose payload is <img src=1 onerror="malicious javascripts"URI::(XXX). The evil users then can share this table with others by enabling public viewing and the victims who open the shared link can be attacked. ### PoC Step 1: Attacker login the nocodb and creates a table with two fields, "T" and "F". The type of field "T" is "SingleLineText", and the type of the "F" is "Fomula" with the formula content {T} Step 2: The attacker sets the content...

Panel.SmokeLoader malware suffers from cross site request forgery, and cross site scripting vulnerabilities.

Panel.SmokeLoader malware suffers from a cross site scripting vulnerability.

Esteghlal F.C.'s site suffers from a cross site scripting vulnerability.

### Summary --- Attacker can upload a html file with malicious content. If user tries to open that file in browser malicious scripts can be executed leading Stored XSS(Cross-Site Script) attack. ### PoC --- NocoDB was configured using the Release Binary `Noco-macos-arm64`, and nocodb version 0.202.9 (currently the latest version) was used. binary hash infos: md5(164b727f287af56168bc16fba622d0b4) / sha256(43e8e97f4c5f5330613abe071a359f84e4514b7186f92954b678087c37b7832e) <img width="665" alt="image" src="https://user-images.githubusercontent.com/86613161/287472673-aeb60a02-2080-429f-8583-9f130ab62779.png"> ### 1. Run the binary to start the server and access the arbitrary table dashboard. <img width="830" alt="image" src="https://user-images.githubusercontent.com/86613161/287472852-98b2286e-ad66-45bf-b503-63780619d775.png"> Here, used the default `Features` table. ### 2. Click `+` in the table `field header` to add an `attachment` field. <img width="1173" alt="image" src="https://us...

Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when: - resolving or closing issues (bug_change_status_page.php) belonging to a project linking said custom field - viewing issues (view_all_bug_page.php) when the custom field is displayed as a column - printing issues (print_all_bug_page.php) when the custom field is displayed as a column ### Impact Cross-site scripting (XSS). ### Patches https://github.com/mantisbt/mantisbt/commit/447a521aae0f82f791b8116a14a20e276df739be ### Workarounds Ensure Custom Field Names do not contain HTML tags. ### References - https://mantisbt.org/bugs/view.php?id=34432 - This is related to CVE-2020-25830 (same root cause, different affected pages)

Last week, the United States joined the U.K. and Australia in sanctioning and charging a Russian man named Dmitry Yuryevich Khoroshev as the leader of the infamous LockBit ransomware group. LockBit's leader "LockBitSupp" claims the feds named the wrong guy, saying the charges don't explain how they connected him to Khoroshev. This post examines the activities of Khoroshev's many alter egos on the cybercrime forums, and tracks the career of a gifted malware author who has written and sold malicious code for the past 14 years.

### Impact There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius. ### Patches The issue is fixed in versions: 1.12.16, 1.13.1 and above. ### Workarounds 1. Create new file `assets/shop/sylius-province-field.js`: ```js // assets/shop/sylius-province-field.js function sanitizeInput(input) { const div = document.createElement('div'); div.textContent = input; return div.innerHTML; // Converts text content to plain HTML, stripping any scripts } const getProvinceInputValue = function getProvinceInputValue(valueSelector) { return valueSelector == undefined ? '' : `value="${sanitizeInput(valueSelector)}"`; }; $.fn.extend({ provinceField() { const countrySelect = $('select[name$="[countryCode]"]'); countrySelect.on('change', (event) ...

### Impact There is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into `Name` field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form. ### Patches The issue is fixed in versions: 1.12.16, 1.13.1 and above. ### Workarounds 1. Create new file `assets/admin/sylius-lazy-choice-tree.js`: ```js // assets/admin/sylius-lazy-choice-tree.js function sanitizeInput(input) { const div = document.createElement('div'); div.textContent = input; return div.innerHTML; // Converts text content to plain HTML, stripping any scripts } const createRootContainer = function createRootContainer() { return $('<div class="ui list"></div>'); }; const createLeafContainerElement = function createLeafContainerElement() { return $('<di...

### Description: A Stored Blind Cross-Site Scripting (XSS) vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. Stored Blind XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. In this case, an unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. The application protects users against XSS attacks by utilizing an xss sanitization library. But the checks of the library were bypassed by crafting an XSS Payload using data binding and interpolation of Vue.js A working XSS payload was crafted which forces an administrator to add a new malicious attacker-controlled Administrator User. The Payload is: [payload.txt](https://github.com/froxlor/Froxlor/files/15142616/payload...