Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

mqXSS 0.2

mqXSS is a client to communicate with XSS hooked browsers over MQTT. Similar to xsshunter or beef, mqxss allows interaction with remote browsers that have been injected with a XSS payload. However, instead of having the victim connect back to your server they connect through a Secure Websocket MQTT broker instead. This tool facilitates the JS payload generation and interaction with hooked browsers that communicate over WSS MQTT brokers.

Packet Storm
#xss#web#js#ssh
GHSA-g8vp-2v5p-9qfh: Cross-site scripting (XSS) in Action messages on Avo

Avo is a framework to create admin panels for Ruby on Rails apps. In Avo 3 pre12 any HTML inside text that is passed to `error` or `succeed` in an `Avo::BaseAction` subclass will be rendered directly without sanitization in the toast/notification that appears in the UI on Action completion. A malicious user could exploit this vulnerability to trigger a cross site scripting attack on an unsuspecting user. This issue has been addressed in the 3.0.2 release of Avo. Users are advised to upgrade.

GHSA-xgfm-fjx6-62mj: readthedocs-sphinx-search vulnerable to cross-site scripting when including search results from malicious projects

### Impact This vulnerability could have allowed an attacker to include arbitrary HTML content in search results by having a user search a malicious project. This was due to our search client not correctly escaping all user content from search results. You can find more information in the [advisory published in our readthedocs.org repo](https://github.com/readthedocs/readthedocs.org/security/advisories/GHSA-qhqx-5j25-rv48). Users of this extension should update to the 0.3.2 version, and trigger a new build. This issue was discovered by a member of our team, and we have seen no signs that this vulnerability was exploited in the wild. ### Patches This issue has been patched in our 0.3.2 version. ### References - https://github.com/readthedocs/readthedocs-sphinx-search/commit/8c6f6d01e88e72ef32ed0c220b6c19d1e1121c73 ### For more information If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected]) ([PGP](ht...

GHSA-ghjv-mh6x-7q6h: avo vulnerable to stored cross-site scripting (XSS) in key_value field

### Summary A **stored cross-site scripting (XSS)** vulnerability was found in the **key_value** field of Avo v3.2.3. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. ### Details The value of the key_value is inserted directly into the HTML code. In the current version of Avo (possibly also older versions), the value is not properly sanitized before it is inserted into the HTML code. This vulnerability can be exploited by an attacker to inject malicious JavaScript code into the key_value field. When a victim views the page containing the malicious code, the code will be executed in their browser. In [avo/fields/common/key_value_component.html.erb]( https://github.com/avo-hq/avo/blob/main/app/components/avo/fields/common/key_value_component.html.erb#L38C21-L38C33) the value is taken in lines **38** and **49** and seems to be interpreted directly as html in lines **44** and **55**. ### PoC ![POC](https://user-images.githubuserc...

Ubuntu Security Notice USN-6582-1

Ubuntu Security Notice 6582-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

WordPress POST SMTP Mailer 2.8.7 Authorization Bypass / Cross Site Scripting

WordPress POST SMTP Mailer plugin versions 2.8.7 and below suffer from authorization bypass and cross site scripting vulnerabilities.

Ubuntu Security Notice USN-6574-1

Ubuntu Security Notice 6574-1 - Takeshi Kaneko discovered that Go did not properly handle comments and special tags in the script context of html/template module. An attacker could possibly use this issue to inject Javascript code and perform a cross site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. It was discovered that Go did not properly validate the "//go:cgo_" directives during compilation. An attacker could possibly use this issue to inject arbitrary code during compile time.

PHPJabbers Meeting Room Booking System 1.0 Cross Site Scripting

PHPJabbers Meeting Room Booking System version 1.0 suffers from multiple persistent cross site scripting vulnerabilities.

PHPJabbers Event Ticketing System 1.0 Cross Site Scripting / HTML Injection

PHPJabbers Event Ticketing System version 1.0 suffers from cross site scripting and html injection vulnerabilities.