Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-27561: Knowledge Article View HCL - Customer Support

There is a reflected Cross-Site Scripting vulnerability in the HCL Traveler web admin (LotusTraveler.nsf).

CVE
Open in Source
#xss#vulnerability#web
CVE-2022-38814: Fiberhome AN5506-02-B Cross Site Scripting ≈ Packet Storm

A stored cross-site scripting (XSS) vulnerability in the auth_settings component of FiberHome AN5506-02-B vRP2521 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the sncfg_loid text field.

CVE-2022-29649: Qsmart Next v4.1.2

Qsmart Next v4.1.2 was discovered to contain a cross-site scripting (XSS) vulnerability.

News247 News Magazine 1.0 Cross Site Scripting

News247 News Magazine version 1.0 suffers from a persistent cross site scripting vulnerability.

CVE-2022-3211

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.6.

CVE-2021-44076

An issue was discovered in CrushFTP 9. The creation of a new user through the /WebInterface/UserManager/ interface allows an attacker, with access to the administration panel, to perform Stored Cross-Site Scripting (XSS). The payload can be executed in multiple scenarios, for example when the user's page appears in the Most Visited section of the page.

Explained: Fuzzing for security

Categories: Explained Categories: News Tags: Fuzzing Tags: fuzz testing Tags: memory leaks Tags: runtime errors Tags: race conditions Tags: control flow error Tags: memory allocation Tags: buffer overflow Fuzzing is an automated software testing method that uses a wide range of invalid and unexpected data as input to find flaws. (Read more...) The post Explained: Fuzzing for security appeared first on Malwarebytes Labs.

GHSA-gqqf-g5r7-84vf: TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection

> ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) ### Problem Due to a parsing issue in upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://github.com/TYPO3/html-sanitizer). ### Solution Update to TYPO3 version 7.6.58 ELTS, 8.7.48 ELTS, 9.5.37 ELTS, 10.4.32 or 11.5.16 that fix the problem described above. ### Credits Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2022-011](https://typo3.org/security/advisory/typo3-core-sa-2022-011) * [GHSA-47m6-46mj-p235](https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-47m6-46mj-p235)

CVE-2018-25047: Release v4.2.1 · smarty-php/smarty

In Smarty before 3.1.47 and 4.x before 4.2.1, libs/plugins/function.mailto.php allows XSS. A web page that uses smarty_function_mailto, and that could be parameterized using GET or POST input parameters, could allow injection of JavaScript code by a user.