Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-3231: Fix scheduled maintenance xss (#14360) · librenms/librenms@0805002

Cross-site Scripting (XSS) - Stored in GitHub repository librenms/librenms prior to 22.9.0.

CVE
Open in Source
#xss#git
GHSA-wxvf-839f-jqmh: Craft CMS Cross site Scripting vulnerability

Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via `src/helpers/Cp.php`.

GHSA-8r89-x93x-mjq2: Craft CMS Stored Cross-site Scripting in User Addresses Title

Craft CMS 4.2.0.1 suffers from Stored Cross Site Scripting (XSS) in `/admin/myaccount`.

GHSA-mw37-wx8p-gp45: Craft CMS vulnerable to Cross-site Scripting via Drafts

Craft CMS 4.2.0.1 is vulnerable to Cross Site Scripting (XSS) via Drafts. Version 4.2.1 contains a patch for this issue.

CVE-2022-35194: CVEs/TestLink/CVE-2022-35194 at main · HuangYuHsiangPhone/CVEs

TestLink v1.9.20 was discovered to contain a stored cross-site scripting (XSS) vulnerability via /lib/inventory/inventoryView.php.

CVE-2020-25491: CVE-2020-25491

6Kare Emakin 5.0.341.0 is affected by Cross Site Scripting (XSS) via the /rpc/membership/setProfile DisplayName field, which is mishandled when rendering the Activity Stream page.

GHSA-47m6-46mj-p235: TYPO3 HTML Sanitizer Bypasses Cross-Site Scripting Protection

> ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (5.7) ### Problem Due to a parsing issue in upstream package [`masterminds/html5`](https://packagist.org/packages/masterminds/html5), malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized. This allows to by-pass the cross-site scripting mechanism of `typo3/html-sanitizer`. ### Solution Update to `typo3/html-sanitizer` versions 1.0.7 or 2.0.16 that fix the problem described. ### Credits Thanks to David Klein who reported this issue, and to TYPO3 security team member Oliver Hader who fixed the issue.

CVE-2022-35664: Adobe Security Bulletin

Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Exploitation of this issue requires low-privilege access to AEM.

GHSA-gjmq-x5x7-wc36: XWiki Platform vulnerable to Cross-site Scripting in the deleted attachments list

### Impact It's possible to store a JavaScript which will be executed by anyone viewing the deleted attachments index with an attachment containing javascript in its name. For example, attachment a file with name `><img src=1 onerror=alert(1)>.jpg` will execute the alert. ### Patches This issue has been patched in XWiki 13.10.6 and 14.3. ### Workarounds It is possible to modify fix the vulnerability by editing the wiki page `XWiki.DeletedAttachments` with the object editor, open the `JavaScriptExtension` object and apply on the content the changes that can be found on the commit https://github.com/xwiki/xwiki-platform/commit/6705b0cd0289d1c90ed354bd4ecc1508c4b25745. ### References * https://jira.xwiki.org/browse/XWIKI-19613 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])