CVE-2019-10010

Cross-site scripting XSS vulnerability in the PHP League CommonMark library before 0.18.3 allows remote attackers to insert unsafe links into HTML by using double-encoded HTML entities that are not properly escaped during rendering, a different vulnerability than CVE-2018-20583...

GHSA-VFVF-MQQ8-RWQC Sanitization bypass using HTML Entities in marked

Affected versions of marked are susceptible to a cross-site scripting vulnerability in link components when sanitize:true is configured. Proof of Concept This flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort...

Sanitization bypass using HTML Entities in marked

Affected versions of marked are susceptible to a cross-site scripting vulnerability in link components when sanitize:true is configured. Proof of Concept This flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort...

GHSA-J6P2-CX3W-6JCP Cross-Site Scripting in backbone

Affected versions of backbone are vulnerable to cross-site scripting when users are allowed to supply input to the ModelEscape function, and the output is then written to the DOM. The vulnerability occurs as a result of the regular expression used to encode metacharacters failing to take HTML...

Imgur: Stored XSS on imgur profile

Hello, I submitted a report on imgur, but the staff marked it as duplicate. 482841 I reviewed the report of the first submitted report. 381553 We are on the same situation and his case is already fixed because I tried visiting his site too which is https://12test.imgur.com/ and even redoing his...

GHSA-Q44V-XC3G-V7JQ OWASP AntiSamy Cross-site Scripting vulnerability

OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of to construct a javascript: URL...

Security update for mailman (moderate)

This update for mailman fixes the following issues: Security issue fixed: - CVE-2018-13796: Fix a content spoofing vulnerability with invalid list name messages inside the web UI boo1101288. Bug fixes: - update to 2.1.29: Fixed the listinfo and admin overview pages that were broken - update to...

Marked Cross-Site Scripting Vulnerability

marked is an American software developer Christopher Jeffrey developed a Markdown parser and compiler written in JavaScript. A cross-site scripting vulnerability exists in marked 0.3.5 and earlier versions, which stems from the program's failure to properly handle URLs with HTML entities, and can...

DEBIAN-CVE-2016-10531

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection sanitize: true to inject a javascript: URL. This flaw exists because...

CVE-2016-10531

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection sanitize: true to inject a javascript: URL. This flaw exists because...

CVE-2016-10531

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection sanitize: true to inject a javascript: URL. This flaw exists because...

UBUNTU-CVE-2016-10531

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection sanitize: true to inject a javascript: URL. This flaw exists because...

CVE-2016-10531

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection sanitize: true to inject a javascript: URL. This flaw exists because...

CVE-2016-10531

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection sanitize: true to inject a javascript: URL. This flaw exists because...

CVE-2016-10531

CVE-2016-10531 affects the marked library (0.3.5 and earlier). The issue arises when parsing HTML entities: &#xNN... leaves trailing text, allowing bypass of sanitize: true and injection of a javascript: URL. This enables cross-site scripting via markdown-rendered links. Affected: marked where li...

CVE-2016-10531

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection sanitize: true to inject a javascript: URL. This flaw exists because...

Mail.ru: XSS e.mail.ru fixSpecialSymbols

Domain, site, application -- e.mail.ru Testing environment -- Firefox Steps to reproduce -- 1. send email from 2. add sender to contacts on https://e.mail.ru/messages/inbox/ 3. using Firefox go to https://e.mail.ru/compose/ 4. click on Кому: to open Contacts Actual results -- alert message Expect...

Rockstar Games: Stored XSS in profile activity feed messages

The researcher was able to demonstrate a Stored XSS vulnerability in the Profile and Crew Feed endpoints. The exploit string worked because the researcher realized that certain obscure characters were not being converted to HTML entities properly. The exploit string was †‡•＜img src=a...

Cross-site Scripting (XSS)

bootstrap is vulnerable to cross-site scripting XSS attacks. The attacks exist because the data-target attribute uses user-supplied input which is then interpreted directly using standard HTML entities encoding...

FileBuster - An Extremely Fast And Flexible Web Fuzzer

An extremely fast and flexible web fuzzer. Why another fuzzer? My main motivation was to write a script that would allow me to fuzz a website based on a dictionary but that allowed me to filter words on that dictionary based on regex patterns. This necessity came from the frustration of trying to...