CVE-2022-36446

CVE-2022-36446 : Webmin versions before 1.997 are vulnerable to an authenticated remote code execution via software/apt-lib.pl which fails to HTML-escape a UI command, enabling an OS command injection when updating packages. Exploitation requires access to the Software Package Updates module and ...

CVE-2022-36446

software/apt-lib.pl in Webmin before 1.997 lacks HTML escaping for a UI command...

Webmin 安全漏洞

Webmin is a set of Web-based system administration tools for Unix-like operating systems from the Webmin community. A security vulnerability exists in versions of Webmin prior to 1.997, which stems from the lack of HTML escaping of UI commands in its software/apt-lib.pl component...

CVE-2022-34786

Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs...

CVE-2022-34173

In Jenkins 2.340 through 2.355 both inclusive the tooltip of the build button in list views supports HTML without escaping the job display name, resulting in a cross-site scripting XSS vulnerability exploitable by attackers with Job/Configure permission...

GHSA-H8QX-MJ6V-2934 MediaWiki Cross-site Scripting (XSS) vulnerability

An issue was discovered in MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3. The non-jqueryMsg version of mw.message.parse doesn't escape HTML. This affects both message contents which are generally safe and the parameters which can be based on user input. When jqueryMsg is loaded,...

CVE-2019-15618

Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location...

Drupal cross-site scripting vulnerability

Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 has a Drupal.checkPlain JavaScript function which is used to escape potentially dangerous text before outputting it to HTML as JavaScript output does not typically go through Twig autoescaping. This function does not correctly...

GHSA-7QW4-W7HF-22Q3 xapian-core Cross-site Scripting vulnerability

A cross-site scripting vulnerability in queryparser/termgeneratorinternal.cc in Xapian xapian-core before 1.4.6 exists due to incomplete HTML escaping by Xapian::MSet::snippet...

xapian-core Cross-site Scripting vulnerability

A cross-site scripting vulnerability in queryparser/termgeneratorinternal.cc in Xapian xapian-core before 1.4.6 exists due to incomplete HTML escaping by Xapian::MSet::snippet...

xapian-core Cross-site Scripting vulnerability

A cross-site scripting vulnerability in queryparser/termgeneratorinternal.cc in Xapian xapian-core before 1.4.6 exists due to incomplete HTML escaping by Xapian::MSet::snippet...

statics-server Cross-site Scripting vulnerability

An XSS in statics-server element without escaping, which allows to embed HTML tag with src attribute points to another HTML file in the directory. This file can contain malicious JavaScript code, which will be executed: js // ./nodemodules/statics-server/index.js, line 18:...

Cross-Site Scripting (XSS)

Liferay Layout SEO Web is vulnerable to stored cross-site scripting. The vulnerability exists in getOpenGraphTag function in OpenGraphTopHeadDynamicInclude.java due to lack of html escaping which allows an attacker to inject and execute arbitrary javascript...

GHSA-QGPV-86R3-87FH Cross-site Scripting in Parsedown

Parsedown version prior to 1.7.0 contains a Cross Site Scripting XSS vulnerability in setMarkupEscaped for escaping HTML that can result in JavaScript code execution. This attack appears to be exploitable via specially crafted markdown that allows it to side step HTML escaping by breaking AST...

Cross-site Scripting in Parsedown

Parsedown version prior to 1.7.0 contains a Cross Site Scripting XSS vulnerability in setMarkupEscaped for escaping HTML that can result in JavaScript code execution. This attack appears to be exploitable via specially crafted markdown that allows it to side step HTML escaping by breaking AST...

Cross-site Scripting when rendering error messages in laminas-form

Impact When rendering validation error messages via the formElementErrors view helper shipped with laminas-form, many messages will contain the submitted value. However, in vulnerable versions of laminas-form, the value was not being escaped for HTML contexts, which can potentially lead to a...

CVE-2022-23598 Reflected XSS vulnerability when rendering error messages in laminas-form

laminas-form is a package for validating and displaying simple and complex forms. When rendering validation error messages via the formElementErrors view helper shipped with laminas-form, many messages will contain the submitted value. However, in laminas-form prior to version 3.1.1, the value wa...

CVE-2021-44263

Gurock TestRail before 7.2.4 mishandles HTML escaping...

CVE-2021-44263

Gurock TestRail before 7.2.4 mishandles HTML escaping...

Hardcoded credentials

Gurock TestRail before 7.2.4 mishandles HTML escaping...