114 matches found
CVE-2022-23515 Improper neutralization of data URIs may allow XSS in Loofah
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah = 2.1.0, 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1...
GHSA-MCVF-2Q2M-X72M Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Summary rails-html-sanitizer = 1.0.3, = 2.1.0. Mitigation Upgrade to rails-html-sanitizer = 1.4.4. Severity The maintainers have evaluated this as Medium Severity 6.1. References - CWE - CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' 4.9 - SVG MIME Type...
Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Summary rails-html-sanitizer = 1.0.3, = 2.1.0. Mitigation Upgrade to rails-html-sanitizer = 1.4.4. Severity The maintainers have evaluated this as Medium Severity 6.1. References - CWE - CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' 4.9 - SVG MIME Type...
GHSA-228G-948R-83GX Improper neutralization of data URIs may allow XSS in Loofah
Summary Loofah = 2.1.0, = 2.19.1. Severity The Loofah maintainers have evaluated this as Medium Severity 6.1. References - CWE - CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' 4.9 - SVG MIME Type image/svg+xml is misleading to developers · Issue 266 ·...
Improper neutralization of data URIs may allow XSS in Loofah
Summary Loofah = 2.1.0, = 2.19.1. Severity The Loofah maintainers have evaluated this as Medium Severity 6.1. References - CWE - CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' 4.9 - SVG MIME Type image/svg+xml is misleading to developers · Issue 266 ·...
Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Summary rails-html-sanitizer = 1.0.3, = 2.1.0. Mitigation Upgrade to rails-html-sanitizer = 1.4.4...
NewStart CGSL MAIN 6.02 : python-lxml Vulnerability (NS-SA-2022-0101)
The remote NewStart CGSL host, running version MAIN 6.02, has python-lxml packages installed that are affected by a vulnerability: - lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass...
AlmaLinux 8 : python-lxml (ALSA-2022:1932)
The remote AlmaLinux 8 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2022:1932 advisory. - lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content...
Cross-site Scripting (XSS)
lxml is vulnerable to Cross-site Scripting XSS. An attacker can inject and execute crafted and SVG embedded scripts through the data URIs in clean.py...
AZL-7025 CVE-2021-43818 affecting package python-lxml for versions less than 4.8.0-1
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant...
PYSEC-2021-852
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant...
Hardcoded credentials
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant...
lxml's HTML Cleaner allows crafted and SVG embedded scripts to pass through
Impact The HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5. Patches The issue has been resolved in lxml 4.6.5...
CVE-2021-43818
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant...
CVE-2021-43818 HTML Cleaner allows crafted and SVG embedded scripts to pass through
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant...
CVE-2021-43818
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant...
lxml 注入漏洞
Lxml is a personal developer of Lxml can be interacted with Python for locating elements in Html. An injection vulnerability exists in versions of lxml prior to 4.6.5, which stems from the fact that HTML Cleaner allows the passage of certain carefully crafted scripted content, as well as scripted...
PT-2021-6092 · Lxml +10 · Lxml +10
Name of the Vulnerable Software and Affected Versions: lxml versions prior to 4.6.5 Description: The HTML Cleaner in lxml.html allows certain crafted script content to pass through, as well as script content in SVG files embedded using data URIs. This can be exploited by a remote attacker to...
Mozilla Firefox Security Advisory (MFSA2015-149) - Linux
This host is missing a security update for Mozilla Firefox. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; y...
OPENSUSE-SU-2021:0895-1 Security update for htmldoc
This update for htmldoc fixes the following issues: Update to version 1.9.12 Fixed buffer-overflow CVE-2021-20308 boo1184424 Fixed a crash bug with 'data:' URIs and EPUB output Fixed several other crash bugs Fixed JPEG error handling Fixed some minor issues Removed the bundled libjpeg, libpng, an...