Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-gvxv-p9rv-gmcg: Cross-Site Scripting

The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.

ghsa
Open in Source
#xss#vulnerability#git#perl
GHSA-374w-gwqr-fmxg: Cross-Site Scripting

The extension fails to properly encode user input for output in HTML context. A TYPO3 backend user account is required to exploit the vulnerability.

GHSA-h4mx-xv96-2jgm: Cross-Site Scripting in Frontend Login Mailer

> ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.9) ### Problem User submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. ### Solution Update to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. ### Credits Thanks to Christian Seifert who reported this issue and to TYPO3 framework merger Andreas Fernandez who fixed the issue. ### References * [TYPO3-CORE-SA-2022-004](https://typo3.org/security/advisory/typo3-core-sa-2022-004)

GHSA-3r95-23jp-mhvg: Cross-Site Scripting in Form Framework

> ### Meta > * CVSS: `CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.9) ### Problem It has been discovered that the Form Designer backend module of the Form Framework is vulnerable to cross-site scripting. A valid backend user account with access to the form module is needed to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.47 ELTS, 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above. ### Credits Thanks to Gabe Troyan who reported and fixed the issue. ### References * [TYPO3-CORE-SA-2022-003](https://typo3.org/security/advisory/typo3-core-sa-2022-003)

CVE-2022-31875: uai-poc/xss1.md at main · jayus0821/uai-poc

Trendnet IP-110wn camera fw_tv-ip110wn_v2(1.2.2.68) has an xss vulnerability via the proname parameter in /admin/scheprofile.cgi

CVE-2022-31873: uai-poc/xss2.md at main · jayus0821/uai-poc

Trendnet IP-110wn camera fw_tv-ip110wn_v2(1.2.2.68) has an XSS vulnerability via the prefix parameter in /admin/general.cgi.

CVE-2022-32444: URL redirection vulnerability in u5cms v8.3.5 · Issue #50 · u5cms/u5cms

An issue was discovered in u5cms verion 8.3.5 There is a URL redirection vulnerability that can cause a user's browser to be redirected to another site via /loginsave.php.

CVE-2022-32442: XSS vulnerability in u5cms version 8.3.5 · Issue #49 · u5cms/u5cms

u5cms version 8.3.5 is vulnerable to Cross Site Scripting (XSS). When a user accesses the default home page if the parameter passed in is http://127.0.0.1/? "Onmouseover=%27tzgl (96502)%27bad=", it can cause html injection.

CVE-2022-2113: Back porting of security patches (#3197) · inventree/InvenTree@26bf51c

Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inventree prior to 0.7.2.

CVE-2021-45026: Information Access, Management and Control

ASG technologies ASG-Zena Cross Platform Server Enterprise Edition 4.2.1 is vulnerable to Cross Site Scripting (XSS).