RATELIMITED: Exposure of tinyMCE js source code with plugin version disclosure which can leads to exploit further attacks.

Hello Security Team Summary : When looking for links and trying for content discovery i found a link on domain support.theendlessweb.com https://support.theendlessweb.com/swift/apps/base/javascript/global/thirdparty/TinyMCE/tinymce.min.js It contains the tinyMCE plugin and the version they are...

Responsive FileManager 9.13.4 XSS / File Manipulation / Traversal

Responsive FileManager 9.13.4 - Multiple Vulnerabilities Date: December 12, 2018 Author: farisv Vendor Homepage: https://www.responsivefilemanager.com/ Vulnerable Package Link: https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.4/responsivefilemanager.zip Responsive FileManag...

Cross-Site Scripting (XSS)

TinyMCE is vulnerable to cross-siste scripting XSS. The vulnerability is possible because it does not filter xlink:href attributes...

Mahara < 16.10.9, < 17.04.7, < 17.10.4 XSS Vulnerability

Mahara is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mahara:mahara";...

Open-Xchange: [XSS] select/onchange in TinyMCE via set body

Hi. TinyMCE allow insert . For set this content need special link: mailto:aaa?body=. Steps: 1. Go to compose mail 2. Insert URL: mailto:aaa?body=%3Cselect%20onchange%3D%22alertdocument.cookie%22%3E%3Coption%3E2%3C%2Foption%3E%3Coption%3E2%3C%2Foption%3E%3C%2Fselect%3E 3. Save Mail 4. Open this ma...

Mahara Input Validation Vulnerability

Mahara is the full-featured web application for building your own ePortfolio. Mahara has an input validation vulnerability. The vulnerability arises because Mahara relies solely on code stripping from TinyMCE. An attacker could exploit this vulnerability to bypass TinyMCE and attack the server by...

Input validation

Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before 17.10.4 are vulnerable to bad input when TinyMCE is bypassed by POST packages. Therefore, Mahara should not rely on TinyMCE's code stripping alone but also clean input on the server / PHP side as one can create own packets of...

CVE-2018-6182

Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before 17.10.4 are vulnerable to bad input when TinyMCE is bypassed by POST packages. Therefore, Mahara should not rely on TinyMCE's code stripping alone but also clean input on the server / PHP side as one can create own packets of...

CVE-2018-6182

Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before 17.10.4 are vulnerable to bad input when TinyMCE is bypassed by POST packages. Therefore, Mahara should not rely on TinyMCE's code stripping alone but also clean input on the server / PHP side as one can create own packets of...

CVE-2018-6182

Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before 17.10.4 are vulnerable to bad input when TinyMCE is bypassed by POST packages. Therefore, Mahara should not rely on TinyMCE's code stripping alone but also clean input on the server / PHP side as one can create own packets of...

CVE-2018-6182

CVE-2018-6182 affects Mahara versions 16.10 before 16.10.9, 17.04 before 17.04.7, and 17.10 before 17.10.4. The root cause is that relying on TinyMCE code stripping is insufficient; an attacker can craft POST data packets with bad content to bypass client-side filtering and hit the server. The do...

Dropbox: Forum posts and private messages are poorly sanitized, allowing execution of arbitrary JavaScript

The reporter informed us of both stored XSS vulnerabilities as well as unsafe css attributes that were allowed in forum posts due to TinyMCE editor. An upgrade to lithium's forum platform appears to have mitigated these vulnerabilities...

FreeBSD : wordpress -- multiple issues (a48d4478-e23f-4085-8ae4-6b3a7b6f016b)

wordpress developers report : Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. Before...

Cross-site Scripting (XSS)

WordPress is vulnerable to cross-site scripting XSS attacks. The library does not escape tags in shortcode previews in the TinyMCE editor, allowing a malicious user to inject and execute arbitrary web script...

WordPress TinyMCE Virtual Editor Cross-Site Scripting Vulnerability

WordPress is the WordPress Software Foundation's set of blogging platform using PHP language development, the platform supports in PHP and MySQL servers to set up a personal blog site.TinyMCE visual editor is one of the virtual editor. A cross-site scripting vulnerability exists in the TinyMCE...

CVE-2017-14726

Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor...

Cross site scripting

Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor...

CVE-2017-14726

Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor...

UBUNTU-CVE-2017-14726

Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor...

CVE-2017-14726

Before version 4.8.2, WordPress was vulnerable to a cross-site scripting attack via shortcodes in the TinyMCE visual editor...