Cross-site Scripting (XSS)

pimcore/pimcore is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to the ajax function in pagination.js because the url sanitization regex pattern does not take into account backward slashes \ that modern browsers treat as forward slashes / , which allows an attacker to...

Stored Cross-Site Scripting (XSS)

moodle/moodle is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to a lack of HTML sanitization in the the user ID when exporting to data formats supporting HTML which allows an attacker to inject and execute arbitrary JavaScript when a user clicks on the downloaded file. Not...

CVE-2023-27592

Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the html.ServerError is returned unescaped without the expected Content Security Policy header added to...

Stored Cross-Site Scripting (XSS)

moodle/moodle is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to the quiz override page via the user ID which allows an attacker to inject and execute arbitrary JavaScript in the browser...

Cross site scripting

IBM App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1, 5.2, 6.0, 6.1, 6.2, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials...

IBM App Connect Enterprise 跨站脚本漏洞

IBM App Connect Enterprise is an operating system from International Business Machines IBM, Inc. that combines existing industry-trusted IBM Integration Bus technology with IBM App Connect Professional and new cloud-native IBM App Connect Enterprise combines existing industry-trusted IBM...

CVE-2023-22856

A stored Cross-site Scripting XSS vulnerability in BlogEngine.NET 3.3.8.0, allows injection of arbitrary JavaScript in the security context of a blog visitor through an upload of a specially crafted file...

Cross site scripting

A stored Cross-site Scripting XSS vulnerability in BlogEngine.NET 3.3.8.0, allows injection of arbitrary JavaScript in the security context of a blog visitor through an injection of a malicious payload into a blog post...

CVE-2023-26486

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argumen...

Format string

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argumen...

CVE-2023-26486 Vega `scale` expression function cross site scripting

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argumen...

CVE-2023-26486

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argumen...

CVE-2023-26047 teler-waf contains detection rule bypass via entities payload

teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version v0.2.0 is vulnerable to a bypass attack when a specific case-sensitive hex entities payload with special characters such as CR/LF and horizontal tab is used...

CVE-2023-26047 teler-waf contains detection rule bypass via entities payload

teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version v0.2.0 is vulnerable to a bypass attack when a specific case-sensitive hex entities payload with special characters such as CR/LF and horizontal tab is used...

RSSHub 跨站脚本漏洞

RSSHub is an RSS feed generator written in Node.js, distributed under the MIT license and maintained by DIYgod and other GitHub users. A cross-site scripting vulnerability exists in RSSHub. An attacker can exploit this vulnerability to execute arbitrary JavaScript code...

CVE-2023-26046

teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version 0.1.1 is vulnerable to bypassing common web attack rules when a specific HTML entities payload is used. This vulnerability allows an attacker to execute...

rsshub vulnerable to Cross-site Scripting via unvalidated URL parameters

Impact When the URL parameters contain certain special characters, it returns an error page that does not properly handle XSS vulnerabilities, allowing for the execution of arbitrary JavaScript code. Users who access the deliberately constructed URL are affected. Patches This vulnerability was...

Cross-Site Scripting (XSS)

@toast-ui/chart is vulnerable to Cross-Site Scripting XSS. The vulnerability exists because the renderTooltip function in tooltip.ts does not properly sanitize the legend fields which allows an attacker to inject and execute arbitrary JavaScript into the browser...

CVE-2023-25154

Misskey is an open source, decentralized social media platform. In versions prior to 13.5.0 the link to the instance to the sender that appears when viewing a user or note received through ActivityPub is not properly validated, so by inserting a URL with a javascript scheme an attacker may execut...

Misskey 跨站脚本漏洞

Misskey is a set of micro-blogging platform. A cross-site scripting vulnerability exists in versions prior to Misskey 13.3.2, which stems from insufficient validation of URLs and a cross-site scripting vulnerability that can be exploited by an attacker to execute arbitrary JavaScript...