CVE-2024-41677 Cross-site Scripting (XSS) vulnerability due to improper HTML escaping in qwik

Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the render-ssr.ts file. It sometimes...

CVE-2024-41677 Cross-site Scripting (XSS) vulnerability due to improper HTML escaping in qwik

Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the render-ssr.ts file. It sometimes...

PT-2024-29501 · Adobe · Magento

Name of the Vulnerable Software and Affected Versions: Magento-lts versions prior to 20.10.1 Description: This issue affects the design/header/welcome, design/header/logo src, design/header/logo src small, and design/header/logo alt system configs, which are intended to enable admins to set a tex...

Cross-site Scripting (XSS)

xapian-core is vulnerable to Cross-site Scripting XSS. The vulnerability is caused due to improper handling of HTML escaping by Xapian::MSet::snippet in queryparser/termgeneratorinternal.cc. This allows an attacker to potentially execute arbitrary scripts in the context of a user's web browser wh...

Cross-Site Scripting (XSS)

zendframework/zend-navigation is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the use of the escapeHtml view helper instead of escapeHtmlAttr, leading to improper HTML attribute escaping...

GHSA-9MG6-X45V-HCFM activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends

Impact Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user. For example: A public web application allows users to create entities with arbitrary names. Active Admin is used to administrate...

Cross-site Scripting

Overview Affected versions of this package are vulnerable to Cross-site Scripting through the dynamic setting of form legends in administrative interfaces. An attacker can execute arbitrary scripts in the context of the administrator's session by injecting malicious content into form fields that...

activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends

Impact Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user. For example: A public web application allows users to create entities with arbitrary names. Active Admin is used to administrate...

PT-2024-27254 · Unknown · Activeadmin

Name of the Vulnerable Software and Affected Versions: Active Admin versions prior to 3.2.2 Active Admin version 4.0.0.beta7 is a fixed version, implying versions prior to 4.0.0.beta7 are also affected, but since 3.2.2 is mentioned as a fixed version, we only consider versions prior to 3.2.2 as...

activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends

Impact Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user. For example: A public web application allows users to create entities with arbitrary names. Active Admin is used to administrate...

GHSA-468J-6JRC-2RJX silverstripe/framework vulnerable to Cross-site Scripting In `OptionsetField` and `CheckboxSetField`

List of key / value pairs assigned to OptionsetField or CheckboxSetField do not have a default casting assigned to them. The effect of this is a potential XSS vulnerability in lists where either key or value contain unescaped HTML...

CVE-2024-33859

An issue was discovered in Logpoint before 7.4.0. HTML code sent through logs wasn't being escaped in the "Interesting Field" Web UI, leading to XSS...

CVE-2024-27794

Claris FileMaker Server before version 20.3.2 was susceptible to a reflected Cross-Site Scripting vulnerability due to an improperly handled parameter in the FileMaker WebDirect login endpoint. The vulnerability was resolved in FileMaker Server 20.3.2 by escaping the HTML contents of the login...

CVE-2024-27794

Claris FileMaker Server before version 20.3.2 was susceptible to a reflected Cross-Site Scripting vulnerability due to an improperly handled parameter in the FileMaker WebDirect login endpoint. The vulnerability was resolved in FileMaker Server 20.3.2 by escaping the HTML contents of the login...

CVE-2024-27794

Claris FileMaker Server before version 20.3.2 was susceptible to a reflected Cross-Site Scripting vulnerability due to an improperly handled parameter in the FileMaker WebDirect login endpoint. The vulnerability was resolved in FileMaker Server 20.3.2 by escaping the HTML contents of the login...

XWiki 3.0.1 < 14.10.19, 15.0-rc-1 < 15.5.4, 15.6-rc-1 < 15.9 RCE Vulnerability (GHSA-hf43-47q4-fhq5)

Xwiki is prone to a remote code execution RCE vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:xwiki:xwiki";...

CVE-2024-31996

XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape , which, when used in certain places, allows XWiki syntax injection and thereby remote code execution...

CVE-2024-31996 XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution

XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape , which, when used in certain places, allows XWiki syntax injection and thereby remote code execution...

CVE-2024-31996

CVE-2024-31996 affects XWiki Platform (XWiki Commons). The issue is improper escaping in the HTML escapetool used by XWiki, which fails to escape the “{” character, enabling syntax injection and remote code execution. Affected versions start at 3.0.1 and extend up to 4.10.19, 15.5.4, and 15.10-rc...

CVE-2024-31996 XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution

XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape , which, when used in certain places, allows XWiki syntax injection and thereby remote code execution...