CVE-2019-25155

DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute...

CVE-2019-25155

DOMPurify before 1.0.11 is affected by a reverse tabnabbing issue in demos/hooks-target-blank-demo.html due to missing rel="noopener noreferrer" on links. This is the concrete vulnerability described across CVE-2019-25155 entries: the root cause is the absence of a security attribute on target-bl...

CVE-2019-25155

DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute...

Cross-Site-Scripting attack on `<RichTextField>`

Impact All React applications built with react-admin and using the are affected. outputs the field value using dangerouslySetInnerHTML without client-side sanitization. If the data isn't sanitized server-side, this opens a possible Cross-Site-Scripting XSS attack. Proof of concept: jsx import...

GHSA-5JCR-82FH-339V Cross-Site-Scripting attack on `<RichTextField>`

Impact All React applications built with react-admin and using the are affected. outputs the field value using dangerouslySetInnerHTML without client-side sanitization. If the data isn't sanitized server-side, this opens a possible Cross-Site-Scripting XSS attack. Proof of concept: jsx import...

CVE-2023-25572

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

Cross site scripting

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

CVE-2023-25572 React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

CVE-2023-25572 React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

CVE-2023-25572

CVE-2023-25572 concerns react-admin and related RA UI Material-UI before 3.19.12/4.7.6, where the RichTextField outputs HTML via dangerouslySetInnerHTML without client-side sanitization. If server-side data isn’t sanitized, this enables cross-site scripting (XSS) across React applications built w...

CVE-2023-25572 React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

PT-2023-20171 · Unknown · Ra-Ui-Materialui +1

Name of the Vulnerable Software and Affected Versions: react-admin versions prior to 3.19.12 and 4.7.6 ra-ui-materialui versions prior to 3.19.12 and 4.7.6 Description: The issue affects all React applications built with react-admin and using the . This component outputs the field value using...

Cross-site Scripting (XSS)

dompurify is vulnerable to cross-site scripting XSS attacks. The library does not properly escape the special characters before it output to the front end, allowing an attacker to inject and execute malicious JavaScript via nested headlines...

GHSA-H6P3-P4VX-WR8Q dompurify vulnerable to Cross-site Scripting

dompurify prior to version 2.2.3 is vulnerable to a cross-site scripting problem caused by nested headlines...

dompurify vulnerable to Cross-site Scripting

dompurify prior to version 2.2.3 is vulnerable to a cross-site scripting problem caused by nested headlines...

GHSA-PGJV-JRG2-GQ3V dompurify vulnerable to Cross-site Scripting

dompurify prior to version 2.2.2 is vulnerable to cross-site scripting when converting from SVG namespace...

dompurify vulnerable to Cross-site Scripting

dompurify prior to version 2.2.2 is vulnerable to cross-site scripting when converting from SVG namespace...

PT-2023-33023 · Dompurify · Dompurify

Name of the Vulnerable Software and Affected Versions: dompurify versions prior to 2.2.3 Description: The issue is caused by nested headlines, leading to a cross-site scripting problem. Recommendations: For versions prior to 2.2.3, update to version 2.2.3 or later to resolve the issue...

PT-2023-33047 · Dompurify · Dompurify

Name of the Vulnerable Software and Affected Versions: dompurify versions prior to 2.2.2 Description: The issue is related to cross-site scripting when converting from the SVG namespace. Recommendations: For versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue...

GHSA-3244-8MFF-W398 Reflected XSS in Gotify's /docs via import of outdated Swagger UI

Impact Gotify exposes an outdated instance of the Swagger UI API documentation frontend at /docs which is susceptible to reflected XSS attacks when loading external Swagger config files. Specifically, the DOMPurify version included with this version of Swagger UI is vulnerable to a rendering XSS...