GHSA-64VR-G452-QVP3 Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Summary We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting XSS in web pages where scriptless attacker-controlled HTML elements e.g., an img tag with an unsanitized name...

CVE-2024-8373

Improper sanitization of the value of the srcset attribute in HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/ContentSpoofing . This issue affects all versions of...

CVE-2024-8373

CVE-2024-8373 affects AngularJS across distributions; root cause is improper sanitization of the srcset attribute in HTML elements, enabling potential Content Spoofing. Affected versions are older AngularJS; Debian LTS advisory (DLA-4242) fixes angular.js to 1.8.3-1+deb12u1~deb11u1, and related ...

CVE-2024-8373

Improper sanitization of the value of the srcset attribute in HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/ContentSpoofing . This issue affects all versions of...

Cross Site Scripting(XSS)

Webpack is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to improper handling and lack of sanitization of HTML elements and their attributes in Webpack's AutoPublicPathRuntimeModule, allowing attacker-controlled elements to execute malicious scripts...

CVE-2024-43788

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s...

CVE-2024-38859 XSS in view page with SLA column

XSS in the view page with the SLA column configured in Checkmk versions prior to 2.3.0p14, 2.2.0p33, 2.1.0p47 and 2.0.0 EOL allowed malicious users to execute arbitrary scripts by injecting HTML elements into the SLA column title. These scripts could be executed when the view page was cloned by...

CVE-2024-28832 XSS in Crash Report Page

Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 EOL allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings...

CVE-2024-28832

CVE-2024-28832 describes a stored XSS vulnerability in the Crash Report page of Checkmk. Affected versions before 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 (EOL) allow users with permission to change Global Settings to inject HTML in the Crash Report URL, potentially executing scripts. The issue ari...

CVE-2024-28831 XSS in confirmation pop-up

Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Checkmk users to execute arbitrary scripts by injecting HTML elements into some user input fields that are shown in a confirmation pop-up...

CVE-2024-28831 XSS in confirmation pop-up

Stored XSS in some confirmation pop-ups in Checkmk before versions 2.3.0p7 and 2.2.0p28 allows Checkmk users to execute arbitrary scripts by injecting HTML elements into some user input fields that are shown in a confirmation pop-up...

GHSA-F6MH-79VH-2HV7 Cross-site Scripting in Moodle Chat

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's UsingChat page says "If you know some HTML code, you can use it in your text to do things like insert image...

CVE-2024-28593

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's UsingChat page says "If you know some HTML code, you can use it in your text to do things like insert image...

UBUNTU-CVE-2024-28593

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's UsingChat page says "If you know some HTML code, you can use it in your text to do things like insert image...

CVE-2024-28593

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's UsingChat page says "If you know some HTML code, you can use it in your text to do things like insert image...

CVE-2024-28593

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's UsingChat page says "If you know some HTML code, you can use it in your text to do things like insert image...

PT-2024-22490 · Moodle · Moodle

Name of the Vulnerable Software and Affected Versions: Moodle version 4.3.3 Description: The Chat activity in Moodle allows students to insert potentially unwanted HTML elements, such as A or IMG elements, or HTML content that can lead to performance degradation. The vendor's documentation notes...

Internet Bug Bounty: [CVE-2023-23913] DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements

A DOM-based cross-site scripting vulnerability was discovered in rails-ujs, affecting versions 5.1.0 and above. By pasting malicious HTML content with specific attributes into a contenteditable element, an attacker could execute arbitrary JavaScript on the affected origin. The vulnerability has...

Cross-site Scripting (XSS)

braft-editor is vulnerable to Cross-site Scripting. The vulnerability exists due to a lack of sanitization of HTML elements in the embed media feature, which allows an attacker to inject and execute malicious Javascript into the browser...

Debian: Security Advisory (DSA-5471-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...