445 matches found
PT-2024-31384
Name of the Vulnerable Software and Affected Versions: Syncope versions prior to 3.0.9 Description: The issue allows an attacker to bypass HTML sanitization by using incomplete HTML tags when editing objects in the Syncope Console. This enables the injection of stored XSS payloads, which can...
The vulnerability of the JavaScript library for secure cleaning and protection of HTML code, DOMPurify, is related to the use of a regular expression with inefficient computational complexity, allowing attackers to execute XSS attacks.
The vulnerability of the JavaScript library for secure cleaning and protection of HTML code, DOMPurify, is related to the use of a regular expression with inefficient computational complexity. Exploiting this vulnerability could allow an attacker who operates remotely to carry out XSS attacks...
CVE-2024-20462
A vulnerability in the web-based management interface of Cisco ATA 190 Series Multiplatform Analog Telephone Adapter firmware could allow an authenticated, local attacker with low privileges to view passwords on an affected device. This vulnerability is due to incorrect sanitization of HTML conte...
jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled
A flaw was found in jsoup, a Java HTML parser built for HTML editing, cleaning, scraping, and Cross-site scripting XSS safety. An issue in jsoup may incorrectly sanitize HTML, including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the...
CVE-2024-47610
InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability has been addresse...
CVE-2024-47610 Stored Cross-site Scripting Vulnerability in Markdown Editor
InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability has been addresse...
CVE-2024-47610
The CVE-2024-47610 issue affects InvenTree before 0.16.5, where a registered user can store JavaScript in Markdown notes fields that are rendered for other logged-in users, enabling stored cross-site scripting (XSS). Root cause: lack of input sanitization in the Markdown rendering path and storag...
CVE-2024-47610 Stored Cross-site Scripting Vulnerability in Markdown Editor
InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability has been addresse...
CVE-2024-47610 Stored Cross-site Scripting Vulnerability in Markdown Editor
InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability has been addresse...
PT-2024-39279 · WordPress · Profilegrid
Name of the Vulnerable Software and Affected Versions: ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions up to, and including, 5.9.3.2 Description: The issue is related to Stored Cross-Site Scripting due to the incorrect use of the wp kses allowed html function. Th...
CVE-2024-45057 Reflected Cross-Site Scripting in i-Educar
i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. A Reflected Cross-Site Scripting XSS vulnerability was identified in the dynamic generation of HTML fields prior to the 2.9 branch. The file located at...
CVE-2024-45057 Reflected Cross-Site Scripting in i-Educar
i-Educar is free, fully online school management software that can be used by school secretaries, teachers, coordinators, and area managers. A Reflected Cross-Site Scripting XSS vulnerability was identified in the dynamic generation of HTML fields prior to the 2.9 branch. The file located at...
GO-2024-3015 ZITADEL has improper HTML sanitization in emails and Console UI in github.com/zitadel/zitadel
ZITADEL has improper HTML sanitization in emails and Console UI in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability...
ZITADEL has improper HTML sanitization in emails and Console UI
Impact ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker,...
GHSA-V333-7H2P-5FHV ZITADEL has improper HTML sanitization in emails and Console UI
Impact ZITADEL uses HTML for emails and renders certain information such as usernames dynamically. That information can be entered by users or administrators. Due to a missing output sanitization, these emails could include malicious code. This may potentially lead to a threat where an attacker,...
Calibre-Web Cross Site Scripting (XSS)
In janeczku Calibre-Web 0.6.0 to 0.6.21, the editbookcomments function is vulnerable to Cross Site Scripting XSS due to improper sanitization performed by the cleanstring function. The vulnerability arises from the way the cleanstring function handles HTML sanitization...
CVE-2024-39123
In janeczku Calibre-Web 0.6.0 to 0.6.21, the editbookcomments function is vulnerable to Cross Site Scripting XSS due to improper sanitization performed by the cleanstring function. The vulnerability arises from the way the cleanstring function handles HTML sanitization...
CVE-2024-39123
In janeczku Calibre-Web 0.6.0 to 0.6.21, the editbookcomments function is vulnerable to Cross Site Scripting XSS due to improper sanitization performed by the cleanstring function. The vulnerability arises from the way the cleanstring function handles HTML sanitization...
CVE-2024-39123
In janeczku Calibre-Web 0.6.0 to 0.6.21, the editbookcomments function is vulnerable to Cross Site Scripting XSS due to improper sanitization performed by the cleanstring function. The vulnerability arises from the way the cleanstring function handles HTML sanitization...
CVE-2024-39123
Calibre-Web 0.6.0–0.6.21 is vulnerable to Cross-Site Scripting (XSS) due to improper HTML sanitization in the clean_string function, exploitable via the edit_book_comments feature. Reports from Red Hat and OSV/OSV-GHSA entries corroborate the same root cause: inadequate sanitization leading to XS...