Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-1933

The CDI WordPress plugin before 5.1.9 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting

CVE
Open in Source
#xss#wordpress#auth
CVE-2022-2194

The Accept Stripe Payments WordPress plugin before 2.0.64 does not sanitize and escape some of its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

GHSA-fj2w-qmjp-3rjm: Gollum 5.0 before 5.1.2 vulnerable to cross-site scripting via filename parameter to New Page dialog

Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the 'New Page' dialog.

GHSA-prc3-vjfx-vhm9: Angular (deprecated package) Cross-site Scripting

All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements. NPM package [angular](https://www.npmjs.com/package/angular) is deprecated. Those who want to receive security updates should use the actively maintained package [@angular/core](https://www.npmjs.com/package/@angular/core).

CVE-2022-25869: Cross-site Scripting (XSS) in org.webjars.bowergithub.angular:angular | CVE-2022-25869 | Snyk

All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.

GHSA-6f85-3f8q-qc94: OroCommerce vulnerable to XSS when adding class name to Selector Manager on pages that use GrapeJS editor

# Impact Due to insufficient class name validation in GrapeJS library it's possible to add executable JS code in class name through Selector Manager # Relates to - [https://github.com/artf/grapesjs/issues/4411](https://github.com/artf/grapesjs/issues/4411) # Patch Update GrapeJS dependency to >=[v0.19.5](https://github.com/artf/grapesjs/releases/tag/v0.19.5)

CVE-2022-23201: Adobe Security Bulletin

Adobe RoboHelp versions 2020.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

GHSA-mxvc-fwgx-j778: Whoogle Search cross-site scripting via string parameter

The package whoogle-search before 0.7.2 is vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the [flask.render_template](https://flask.palletsprojects.com/en/2.1.x/api/flask.render_template) function. However, the error_message is rendered using the [| safe filter](https://jinja.palletsprojects.com/en/3.1.x/templates/working-with-automatic-escaping), meaning the user input is not escaped.

CVE-2020-35305: GOLLUM.COM may be available for sale or other proposals

Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the 'New Page' dialog.

CVE-2020-35261: poc-dump/MultiRestaurantReservationSystem/1.0 at main · yunaranyancat/poc-dump

Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Restaurant Name field to /dashboard/profile.php.