CVE-2023-42452 Mastodon vulnerable to Stored XSS through the translation feature

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to...

CVE-2023-42452 Mastodon vulnerable to Stored XSS through the translation feature

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to...

Debian: Security Advisory (DLA-3566-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Cross-Site Scripting (XSS)

@webiny/react-rich-text-renderer is vulnerable to Cross-Site Scripting XSS attacks. The vulnerability allows an attacker to inject malicious JavaScript code into a victim's browser, which could be used to steal cookies, session tokens, or other sensitive information due to the use of the...

CVE-2023-41167

@webiny/react-rich-text-renderer before 5.37.2 allows XSS attacks by content managers. This is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. Webiny is an open-source serverless enterprise CMS. The @webiny/react-rich-text-renderer package depends on the...

CVE-2023-41167

@webiny/react-rich-text-renderer before 5.37.2 allows XSS attacks by content managers. This is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. Webiny is an open-source serverless enterprise CMS. The @webiny/react-rich-text-renderer package depends on the...

Design/Logic Flaw

@webiny/react-rich-text-renderer before 5.37.2 allows XSS attacks by content managers. This is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. Webiny is an open-source serverless enterprise CMS. The @webiny/react-rich-text-renderer package depends on the...

Cross-site Scripting (XSS)

github.com/prometheus/alertmanager is vulnerable to Cross-site Scripting XSS. The vulnerability exists due to the lack of HTML sanitization in the generatorURL field of Alert.elm, which allows an attacker to inject and execute malicious JavaScript by sending a POST request to the /api/v1/alerts...

CVE-2023-41167

@webiny/react-rich-text-renderer before 5.37.2 allows XSS attacks by content managers. This is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. Webiny is an open-source serverless enterprise CMS. The @webiny/react-rich-text-renderer package depends on the...

@webiny/react-rich-text-renderer vulnerable to insecure rendering of rich text content

Overview @webiny/react-rich-text-renderer is a react component to render data coming from Webiny Headless CMS and Webiny Form Builder. The @webiny/react-rich-text-renderer package depends on the editor.js rich text editor to handle rich text content. The CMS stores rich text content from the...

Cross-Site Scripting (XSS)

pimcore/customer-management-framework-bundle is vulnerable to Cross-Site Scripting XSS attacks. The vulnerability is due a lack of HTML sanitization in email templates, which allows an attacker to send an email which when a link is clicked, redirects the user to a malicious site enabling attacker...

Cross-site Scripting (XSS)

matrix-react-sdk is vulnerable to Cross-Site Scripting. The vulnerability is due to a lack of HTML sanitization in the export chat feature, which results in Cross-Site Scripting...

CVE-2023-36459

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview...

CVE-2023-36459

CVE-2023-36459 affects Mastodon: injection bypasses HTML sanitization via crafted oEmbed data, enabling XSS in preview cards. Affected versions are prior to 3.5.9, 4.0.5, and 4.1.3. The issue is mitigated by upgrading to 3.5.9, 4.0.5, or 4.1.3 where a patch exists.

CVE-2023-36459 Mastodon vulnerable to Cross-site Scripting through oEmbed preview cards

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview...

CVE-2023-36459 Mastodon vulnerable to Cross-site Scripting through oEmbed preview cards

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 1.3 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker using carefully crafted oEmbed data can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview...

Cross-Site Scripting (XSS)

phpmyfaq/phpmyfaq is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to a lack of html sanitization in the answer parameter which allows an attacker to inject and execute arbitrary JavaScript into the browser...

Cross-site Scripting (XSS)

avo is vulnerable to Cross-site Scripting XSS. The vulnerability exists in multiple files due to improper html sanitization in form content which allows an attacker to inject and execute arbitrary JavaScript in a victims browser...

CVE-2023-31606

A Regular Expression Denial of Service ReDoS issue was discovered in the sanitizehtml function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service DoS via supplying a crafted payload...

Cross-site Scripting (XSS)

pimcore/pimcore is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to scheduler.js because it does not sanitize the html in the time field, which allow an attacker to inject and execute arbitrary JavaScript into the browser...