Docmost 安全漏洞

Docmost is an open-source collaborative wiki and documentation software developed by Docmost. Versions of Docmost prior to 0.25.0 contained security vulnerabilities, which were caused by insufficient HTML escape sequences, potentially leading to stored-xss attacks...

Mattermost Confluence plugin doesn't properly escape user-controlled display names in HTML template rendering

Mattermost Confluence plugin version 1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connectio...

Cross-site Scripting (XSS)

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Cross-site Scripting XSS in the orderHistory.message. An attacker can execute arbitrary scripts in the context of the admin panel by injecting malicious payloads into the status message field, which...

GHSA-FRJ9-9RWC-PW9J Craft Commerce has Stored DOM XSS in Order Status Name (Reflects in "Recent Orders" Dashboard Widget)

Summary A stored DOM XSS vulnerability exists in the "Recent Orders" dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. Users are recommended to update to the patched 5.5.2...

GHSA-8HF7-H89P-3PQJ MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field

Summary A Stored Cross-site Scripting XSS vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The android:host attribute from elements is rendered in HTML reports without...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rich text fields fields. An attacker can execute arbitrary scripts in the context of other users by injecting malicious HTML content. Details Cross-site scripting or XSS is a code vulnerability that occu...

Svelte cross-site scripting vulnerabilities

Svelte is an open-source approach to building web applications developed by Svelte. Versions of Svelte prior to 5.46.3 contained a cross-site scripting vulnerability. This vulnerability stemmed from the lack of HTML safe escaping during the asynchronous hydration process, allowing attackers to...

CVE-2017-18574

The ninja-forms plugin before 3.0.31 for WordPress has insufficient HTML escaping in the builder...

CVE-2024-41677

Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the render-ssr.ts file. It sometimes...

CVE-2021-41258

Kirby is an open source file structured CMS. In affected versions Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters to protect against...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS in the variableList function of the /admin/system/variableList.do endpoint when handling the Description argument. An attacker can inject and execute arbitrary scripts in the context of a user's browser by...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the argstypes parameter, which is rendered into an info banner without proper HTML escaping. An attacker can execute arbitrary JavaScript code in the backend context by tricking an authenticated user into...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper escaping of HTML attribute values. An attacker can execute arbitrary JavaScript in the context of a user's browser by injecting malicious HTML attribute values into user-generated content...

Vert.x-Web vulnerable to Stored Cross-site Scripting in directory listings via file names

Description - In the StaticHandlerImplsendDirectoryListing... method under the text/html branch, file and directory names are directly embedded into the href, title, and link text without proper HTML escaping. - As a result, in environments where an attacker can control file names, injecting...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering of user-supplied metadata fields such as title, description, subject, and others. An attacker can execute arbitrary HTML or JavaScript in the context of a user's browser by injecting malicious...

EUVD-2021-0511

Malware in sbrugna...

EUVD-2021-1823

Malware in sbrugna...

EUVD-2018-0780

Malware in sbrugna...

EUVD-2021-26677

Malware in sbrugna...

EUVD-2019-6575

Malware in sbrugna...