Mozilla: Incorrect HTML parsing results in XSS bypass technique

A flaw was found in Mozilla Firefox and Thunderbird where null bytes were incorrectly parsed in HTML entities. This could lead to HTML comments being treated as code which could lead to XSS in a web application or HTML entities being masked from filters...

Parallels Plesk Panel 9.5 Cross Site Scripting

Exploit Title: Parallels Plesk Panel 9.5 Reflected XSS Release Date: 06/11/2019 Author: Cyber Citadel Website: www.cybercitadel.com Vendor: www.plesk.com Versions 9.5 Description A Cross Site Scripting vulnerability occurs when an attacker can inject JavaScript in context of the web application...

Mozilla: Incorrect HTML parsing results in XSS bypass technique

A flaw was found in Mozilla Firefox and Thunderbird where null bytes were incorrectly parsed in HTML entities. This could lead to HTML comments being treated as code which could lead to XSS in a web application or HTML entities being masked from filters...

Mozilla Thunderbird Security Advisories (MFSA2019-32, MFSA2019-35) - Mac OS X

Mozilla Thunderbird is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mozilla:thunderbird";...

Mozilla: Incorrect HTML parsing results in XSS bypass technique

A flaw was found in Mozilla Firefox and Thunderbird where null bytes were incorrectly parsed in HTML entities. This could lead to HTML comments being treated as code which could lead to XSS in a web application or HTML entities being masked from filters...

Cross-Site Scripting (XSS)

firefox is vulnerable to cross-site scripting XSS. Failure to correctly handle null bytes when processing HTML entities results in incorrectly parsing of these entities, leading to HTML comment text being treated as HTML which could result in an XSS in a web application under certain conditions...

Unspecified Vulnerability in Mozilla Firefox and Mozilla Firefox ESR (CNVD-2019-38480)

Mozilla Firefox and Mozilla Firefox ESR are both products of the Mozilla Foundation in the U.S. Mozilla Firefox is an open source web browser.Mozilla Firefox ESR is an extended support version of Firefox web browser. A security vulnerability exists in Mozilla Firefox versions prior to 70 and...

CVE-2019-11763

Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML...

UBUNTU-CVE-2019-11763

Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML...

Cross-site Scripting (XSS)

jspwiki-main is vulnerable to cross-site scripting XSS. The vulnerability exists because it does not properly escape HTML entities in JSPWiki WYSIWYG editor, allowing an attacker to inject malicious script through it...

CVE-2019-14233

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.striptags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities...

CVE-2019-14233

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.striptags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities...

PYSEC-2019-12

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.striptags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities...

CVE-2019-14233

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.striptags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities...

Denial Of Service (DoS)

Django is vulnerable to denial of service DoS. It does not properly handle HTML entities in the function striptags, causing excessive HTMLParser recursions...

CVE-2019-14233

An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.striptags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities...

Concrete CMS: Unauthenticated reflected XSS in preview_as_user function

An unauthenticated, reflected cross-site-scripting attack is possible due to the unsanitised cID parameter in the previewasuser functionality. Example URL: https://LOCAL-CONCRETE-INSTALL/ccm/system/panels/page/previewasuser/preview?cID=%22%3E%3C/iframe%3E%3Cscript%3Ealert1%3C/script%3E%3C!-- The...

Cross-Site Scripting (XSS)

league/commonmark is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a victim's browser via unsafe links using double-encoded HTML entities to steal session tokens or perform unwanted actions on behalf of the user...

PHP League CommonMark library cross-site scripting vulnerability

PHP League CommonMark library is a PHP-based Markdown parser from the Extraordinary Packages consortium. A cross-site scripting vulnerability exists in PHP League CommonMark library versions prior to 0.18.3, which stems from the program failing to properly escape double-encoded HTML entities. A...

CVE-2019-10010

Cross-site scripting XSS vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583...