#xss

### Impact If FoF Upload is configured to allow the uploading of SVG files (`image/svg+xml`), navigating directly to an SVG file URI could execute arbitrary Javascript code decided by an attacker. This Javascript code could include the execution of HTTP web requests to Flarum, or any other web service. This could allow data to be leaked by an authenticated Flarum user, or, possibly, for data to be modified maliciously. ### Patches This has been patched with v1.2.3, which now sanitizes uploaded SVG files. ### Workarounds Upgrade to `1.2.3` (requires Flarum 1.2 or later), or remove the ability for users to upload SVG files through FoF Upload. ### References Thank you to Safwat Refaat for the responsible disclosure of this vulnerability.

### Impact We found a possible XSS vector in the `WikiManager.JoinWiki ` wiki page related to the "requestJoin" field. ### Patches The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. ### Workarounds The easiest workaround is to edit the wiki page `WikiManager.JoinWiki` (with wiki editor) and change the line ``` <input type='hidden' name='requestJoin' value="$!request.requestJoin"/> ``` into ``` <input type='hidden' name='requestJoin' value="$escapetool.xml($!request.requestJoin)"> ``` ### References * https://jira.xwiki.org/browse/XWIKI-19292 * https://github.com/xwiki/xwiki-platform/commit/27f839133d41877e538d35fa88274b50a1c00b9b ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security mailing list](mailto:[email protected])

### Impact We found a possible XSS vector in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the "newThemeName" form field. ### Patches The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. ### Workarounds The easiest workaround is to edit the wiki page `FlamingoThemesCode.WebHomeSheet` (with wiki editor) and change the line ``` <input type="hidden" name="newThemeName" id="newThemeName" value="$request.newThemeName" /> ``` into ``` <input type="hidden" name="newThemeName" id="newThemeName" value="$escapetool.xml($request.newThemeName)" /> ``` ### References * https://jira.xwiki.org/browse/XWIKI-19294 * https://github.com/xwiki/xwiki-platform/commit/bd935320bee3c27cf7548351b1d0f935f116d437 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [security mailing list](mailto:[email protected])

### Impact Mautic allows you to track open rates by using tracking pixels. The tracking information is stored together with extra metadata of the tracking request. The output isn't sufficiently filtered when showing the metadata of the tracking information, which may lead to a vulnerable situation. ### Patches Please upgrade to 4.3.0 ### Workarounds None. ### References * Internally tracked under MST-38 ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])

XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-based skin. Starting with versions 6.2.4 and 6.3-rc-1, a possible cross-site scripting vector is present in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the "newThemeName" form field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `FlamingoThemesCode.WebHomeSheet` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory.

XWiki Platform Wiki UI Main Wiki is a package for managing subwikis. Starting with version 5.3-milestone-2, XWiki Platform Wiki UI Main Wiki contains a possible cross-site scripting vector in the `WikiManager.JoinWiki ` wiki page related to the "requestJoin" field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `WikiManager.JoinWiki` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory.

The notification module displaying flash messages unscapes HTML coming from the server, resulting in XSS vulnerabilities with various names and labels of entities (eg. workspace title or media title). This however means you must be a logged in user with respective rights in the first place to leverage the attack vector.

Persistent Cross-Site Scripting (XSS) vulnerability in Vsourz Digital's Advanced Contact form 7 DB plugin <= 1.8.7 at WordPress.

When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting.

Academy-LMS v4.3 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the SEO panel.