Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-cfxh-frx4-9gjg: Cross-site Scripting in @spscommerce/ds-react

### Impact XSS, anyone using the SPS Select with options prop populated from user input is impacted. If these options are stored, then it could have been a stored XSS. ### Patches The code has been patched for version 7 of woodland. Users should upgrade to 7.17.4 or higher ### Workarounds This is not recommended. If you are not upgrading then you would need to sanitize your options yourself (including those currently stored in databases). This is not recommended. ### References https://github.com/SPSCommerce/woodland/blob/c49e999f97f3c0b56502859f4de1e8c6666dd74d/packages/ds-react/src/option-list/SpsOptionList.tsx#L559

ghsa
Open in Source
#xss#nodejs#git
GHSA-5968-qw33-h47j: Duplicate Advisory: Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cvg2-7c3j-g36j. This link is maintained to preserve external references. ## Original Description A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

CVE-2023-6134

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

GHSA-xv7p-jw46-8r85: Cross-site Scripting in JFinalcms

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) in the site management office.

GHSA-3hf6-f8ch-5869: Cross-site Scripting in JFinalcms

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) via carousel image editing.

GHSA-m3p6-43xj-pf9v: Cross-site Scripting in JFinalcms

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) via Label management editing.

GHSA-p3ph-6245-4wfc: Cross-site Scripting in JFinalcms

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS).

CVE-2023-49152: WordPress Credit Tracker plugin <= 1.1.17 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Labs64 Credit Tracker allows Stored XSS.This issue affects Credit Tracker: from n/a through 1.1.17.

CVE-2023-49151: WordPress Google Calendar Events plugin <= 3.2.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simple Calendar Simple Calendar – Google Calendar Plugin allows Stored XSS.This issue affects Simple Calendar – Google Calendar Plugin: from n/a through 3.2.6.

CVE-2023-49157: WordPress Multiple Post Passwords plugin <= 1.1.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andreas Münch Multiple Post Passwords allows Stored XSS.This issue affects Multiple Post Passwords: from n/a through 1.1.1.