Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

E-Commerce Site Using PHP PDO 1.0 Cross Site Scripting

E-Commerce Site using PHP PDO version 1.0 suffers from a cross site scripting vulnerability.

Packet Storm
#xss#vulnerability#windows#google#php#auth#firefox
GHSA-w6j6-w6jx-vf2r: Concrete CMS Stored XSS in getAttributeSetName

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName().  A rogue administrator could inject malicious code.

Journyx 11.5.4 Cross Site Scripting

Journyx version 11.5.4 suffers from a cross site scripting vulnerability due to mishandling of the error_description during an active directory login flow.

Debian Security Advisory 5743-1

Debian Linux Security Advisory 5743-1 - Multiple cross-site scripting vulnerabilities were discovered in RoundCube webmail.

Open WebUI 0.1.105 Persistent Cross Site Scripting

Open WebUI version 0.1.105 suffers from a persistent cross site scripting vulnerability.

GHSA-5jp3-wp5v-5363: Open WebUI Stored Cross-Site Scripting Vulnerability

Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.

Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords

Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances. "When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's

GHSA-2rwj-7xq8-4gx4: Qwik has a potential mXSS vulnerability due to improper HTML escaping

### Summary A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0. ### Details Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules: https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208 - If the string is an attribute value: - `"` -> `&quot;` - `&` -> `&amp;` - Other characters -> No conversion - Otherwise: - `<` -> `&lt;` - `>` -> `&gt;` - `&` -> `&amp;` - Other characters -> No conversion It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). ## PoC A vulnerable component: ```javascript import { component$ } from "@builder.io/qwik"; import { useLocation } from "@builder.io/qwik-city"; export default component$(() => { // user input cons...

GHSA-m99v-mmg2-66vf: Microweber Reflected Cross-site scripting (XSS) vulnerability

A Reflected Cross-site scripting (XSS) vulnerability exists in '/search' in microweber 2.0.15 and earlier allowing unauthenticated remote attackers to inject arbitrary web script or HTML via the 'keywords' parameter.