445 matches found
CVE-2020-26956
In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox 83, Firefox ESR 78.5, and Thunderbird 78.5...
Mozilla: XSS through paste (manual and clipboard API)
In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox 83, Firefox ESR 78.5, and Thunderbird 78.5...
CVE-2020-26956
In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox 83, Firefox ESR 78.5, and Thunderbird 78.5...
Cross-Site Scripting (XSS)
handsontable is vulnerable to Cross-Site Scripting XSS. The package fails to sanitize HTML before displaying on a user's browser, allowing an attacker to insert and execute arbitrary Javascript via the built-in functionalities...
Cross-Site Scripting in atlasboard-atlassian-package
All versions of atlasboard-atlassian-package prior to 0.4.2 are vulnerable to Cross-Site Scripting XSS. The package fails to properly sanitize user input that is rendered as HTML, which may allow attackers to execute arbitrary JavaScript in a victim's browser. This requires attackers being able t...
GHSA-25V4-MCX4-HH35 Cross-Site Scripting in atlasboard-atlassian-package
All versions of atlasboard-atlassian-package prior to 0.4.2 are vulnerable to Cross-Site Scripting XSS. The package fails to properly sanitize user input that is rendered as HTML, which may allow attackers to execute arbitrary JavaScript in a victim's browser. This requires attackers being able t...
GHSA-5634-RV46-48JF Cross-Site Scripting in bleach
All versions of bleach are vulnerable to Cross-Site Scripting. It is possible to bypass the package's HTML sanitization with payloads such as "scriptalert'xss';script" regardless of the passed options. This may allow attackers to execute arbitrary JavaScript in the victim's browser. Recommendatio...
Cross-Site Scripting in bleach
All versions of bleach are vulnerable to Cross-Site Scripting. It is possible to bypass the package's HTML sanitization with payloads such as "scriptalert'xss';script" regardless of the passed options. This may allow attackers to execute arbitrary JavaScript in the victim's browser. Recommendatio...
Cross-Site Scripting in c3
Affected versions of c3 are vulnerable to cross-site scripting via improper sanitization of HTML in rendered tooltips. Recommendation Update to 0.4.11 or later...
GHSA-5CP4-XMRW-59WF XSS via JQLite DOM manipulation functions in AngularJS
Summary XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith, JQLite.append, new JQLite and angular.element. Description JQLite DOM manipulation library...
PT-2020-6126 · Lxml +9 · Lxml +9
Name of the Vulnerable Software and Affected Versions: lxml versions prior to 4.6.3 Description: A remote attacker could exploit this flaw to run arbitrary JS code on users who interact with incorrectly sanitized HTML. The issue arises when the safe attrs only and forms arguments are disabled in...
Design/Logic Flaw
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Mos...
CVE-2020-4054
In Sanitize RubyGem sanitize greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's "relaxed" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized...
CVE-2020-4054
In Sanitize RubyGem sanitize greater than or equal to 3.0.0 and less than 5.2.1, there is a cross-site scripting vulnerability. When HTML is sanitized using Sanitize's "relaxed" config, or a custom config that allows certain elements, some content in a math or svg element may not be sanitized...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS. XSS may be triggered in AngularJS applications that sanitize user-controlled HTML snippets before passing them to JQLite methods like JQLite.prepend, JQLite.after, JQLite.append, JQLite.replaceWith,...
CVE-2020-11051
In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor with write access as well load the same page into the Markdown editor, the XSS payload will be...
CVE-2020-11051
In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor with write access as well load the same page into the Markdown editor, the XSS payload will be...
Cross site scripting
In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor with write access as well load the same page into the Markdown editor, the XSS payload will be...
CVE-2020-11051
CVE-2020-11051 : Wiki.js before 2.3.81 has a stored XSS in the Markdown editor. An editor with write access can inject payloads into content; when another editor loads the same page in the Markdown editor, the payload can execute in the preview panel. The HTML sanitization strips the payload in r...
CVE-2020-11051 XSS in Wiki.js
In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor. An editor with write access to a page, using the Markdown editor, could inject an XSS payload into the content. If another editor with write access as well load the same page into the Markdown editor, the XSS payload will be...