CVE-2024-39123

In janeczku Calibre-Web 0.6.0 to 0.6.21, the editbookcomments function is vulnerable to Cross Site Scripting XSS due to improper sanitization performed by the cleanstring function. The vulnerability arises from the way the cleanstring function handles HTML sanitization...

CVE-2023-38506

Summary of CVE-2023-38506 (Joplin) : A Cross-site Scripting (XSS) vulnerability arises when pasting untrusted HTML into Joplin’s rich text editor. HTML pasted into the editor is not properly sanitized, allowing the onload attribute of pasted images to execute arbitrary code. Because the TinyMCE e...

CVE-2023-38506 Cross-site Scripting (XSS) when pasting HTML into the rich text editor in Joplin

Joplin is a free, open source note taking and to-do application. A Cross-site Scripting XSS vulnerability allows pasting untrusted data into the rich text editor to execute arbitrary code. HTML pasted into the rich text editor is not sanitized or not sanitized properly. As such, the onload...

Cross Site Scripting

silverstripe/framework is vulnerable to Cross Site Scripting. The vulnerability is due Member-getName returning raw HTML, which is injected directly without sanitization...

DEBIAN-CVE-2024-34078

html-sanitizer is an allowlist-based HTML cleaner. If using keeptypographicwhitespace=False which is the default, the sanitizer normalizes unicode to the NFKC form at the end. Some unicode characters normalize to chevrons; this allows specially crafted HTML to escape sanitization. The problem has...

Fedora 40 : rubygem-rails-html-sanitizer (2023-91e69ea326)

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-91e69ea326 advisory. Automatic update for rubygem-rails-html-sanitizer-1.6.0-1.fc40. Changelog Thu Nov 23 2023 Vt Ondruch - 1.6.0-1 - Update to rails-html-sanitizer 1.6....

CVE-2024-28855 ZITADEL vulnerable to improper HTML sanitization

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the text/template instead of the html/template package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and...

CVE-2024-28855 ZITADEL vulnerable to improper HTML sanitization

ZITADEL, open source authentication management software, uses Go templates to render the login UI. Due to a improper use of the text/template instead of the html/template package, the Login UI did not sanitize input parameters prior to versions 2.47.3, 2.46.1, 2.45.1, 2.44.3, 2.43.9, 2.42.15, and...

Improper HTML sanitization in ZITADEL

Impact ZITADEL uses Go templates to render the login UI. Due to a improper use of the text/template instead of the html/template package, the Login UI did not sanitize input parameters. An attacker could create a malicious link, where he injected code which would be rendered as part of the login...

GHSA-HFRG-4JWR-JFPJ Improper HTML sanitization in ZITADEL

Impact ZITADEL uses Go templates to render the login UI. Due to a improper use of the text/template instead of the html/template package, the Login UI did not sanitize input parameters. An attacker could create a malicious link, where he injected code which would be rendered as part of the login...

HTML Injection

Sulu is vulnerable to HTML Injection. The vulnerability is due to improper HTML sanitization within the the Tag name. The HTML is executed when the tag name is listed in the auto complete form...

Cross Site Scripting (XSS)

nextcloud/text is vulnerable to Cross Site Scripting XSS. The vulnerability is caused due to a lack of HTML sanitization in the clipboardTextParser method. The HTML code will get executed if a user copies and pastes HTML code without markup...

Debian: Security Advisory (DSA-5531-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

TinyMCE XSS vulnerability in notificationManager.open API

Impact A cross-site scripting XSS vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been...

GHSA-HGQX-R2HP-JR38 TinyMCE XSS vulnerability in notificationManager.open API

Impact A cross-site scripting XSS vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been...

Cross site scripting

An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by...

Moderate: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.3.2 security updates and bug fixes

Multicluster Engine for Kubernetes 2.3.2 General Availability release images, which contain security updates and fix bugs. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

Design/Logic Flaw

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to...

CVE-2023-42452 Mastodon vulnerable to Stored XSS through the translation feature

Mastodon is a free, open-source social network server based on ActivityPub. In versions on the 4.x branch prior to versions 4.0.10, 4.2.8, and 4.2.0-rc2, under certain conditions, attackers can abuse the translation feature to bypass the server-side HTML sanitization, allowing unescaped HTML to...

CVE-2023-42452

Mastodon CVE-2023-42452 affects 4.x branches prior to 4.0.10, 4.2.8, and 4.2.0-rc2. The issue allows Stored XSS via the translation feature by bypassing server-side HTML sanitization and executing unescaped HTML in the browser. Exploitation requires user interaction (clicking the Translate button...