#xss

# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to `1.9.2` and was tested on version `1.8.2`. # Overview [Label Studio](https://github.com/HumanSignal/label-studio) has a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. # Description The following [code snippet in Label Studio](https://github.com/HumanSignal/label-studio/blob/1.8.2/label_studio/users/functions.py#L18-L49) shows that the only verification check is that the file is an image by extracting the dimensions from the file. ```python def hash_upload(instance, filename): filename = str(uuid.uuid4())[0:8] + '-' + filename return settings.AVATAR_PATH + '/' + filename <3> def check_avatar(files): i...

Cross Site Scripting (XSS) vulnerability in /admin/login password parameter in JFinalcms 5.0.0 allows attackers to run arbitrary code via crafted URL.

Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the /admin/login username parameter.

Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the /index keyword parameter.

A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their config to include: TALISMAN_CONFIG = {     "content_security_policy": {         "base-uri": ["'self'"],         "default-src": ["'self'"],         "img-src": ["'self'", "blob:", "data:"],         "worker-src": ["'self'", "blob:"],         "connect-src": [             "'self'",             " https://api.mapbox.com" https://api.mapbox.com" ;,             " https://events.mapbox.com" https://events.mapbox.com" ;,         ],         "object-src": "'none'",         "style-src": [             "'self'",             "'unsafe-inline'",         ],         "script-src": ["'self'", "'strict-dynamic'"],     },     "content_security_policy_nonce_in": ["script-src"],     "force_https": False,     "session...

### Impact All users of Nautobot versions earlier than 1.6.10 or 2.1.2 are potentially impacted. Due to inadequate input sanitization, any user-editable fields that support Markdown rendering, including: - `Circuit.comments` - `Cluster.comments` - `CustomField.description` - `Device.comments` - `DeviceRedundancyGroup.comments` - `DeviceType.comments` - `Job.description` - `JobLogEntry.message` - `Location.comments` - `Note.note` - `PowerFeed.comments` - `Provider.noc_contact` - `Provider.admin_contact` - `Provider.comments` - `ProviderNetwork.comments` - `Rack.comments` - `Tenant.comments` - `VirtualMachine.comments` - Contents of any custom fields of type `markdown` - Job class `description` attributes - The `SUPPORT_MESSAGE` system configuration setting are potentially susceptible to cross-site scripting (XSS) attacks via maliciously crafted data. ### Patches Fixed in Nautobot versions 1.6.10 and 2.1.2. ### References https://github.com/nautobot/nautobot/pull/5133 https://git...

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Westermo Equipment: Lynx 206-F2G Vulnerabilities: Cross-site Scripting, Code Injection, Cross-Origin Resource Sharing, Cleartext Transmission of Sensitive Information, Cross-Site Request Forgery 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access the web application, inject arbitrary code, execute malicious code, obtain sensitive information, or execute a malicious request. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Lynx 206-F2G, a layer three industrial Ethernet switch, are affected: Lynx: Model Version L206-F2G1 Lynx: Firmware Version 4.24. 3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 An attacker with access to the web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site sc...

Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js. An XSS payload can be rendered in post summaries.

MolecularFaces before 0.3.0 is vulnerable to cross site scripting. A remote attacker can execute arbitrary JavaScript in the context of a victim browser via crafted molfiles.

### Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. ### Patches JupyterLab v4.0.11 was patched. ### Workarounds Users can either disable the table of contents extension by running: ```bash jupyter labextension disable @jupyterlab/toc-extension:registry ``` ### References Vulnerability reported via the [bug bounty program](https://app.intigriti.com/programs/jupyter/jupyter/detail) [sponsored by the European Commission](https://commission.europa.eu/news/european-commissions-open-source-programme-office-starts-bug-bounties-2022-01-19_en) and hosted on the [Intigriti platform](https://www.intigriti.com/).