CVE-2022-44787

CVE-2022-44787 affects Maggioli Maggioli SpA Appalti & Contratti, version 9.12.2. The vulnerability is a reflected Cross-Site Scripting (XSS) in the web application where the idPagina parameter is reflected in the server response without HTML encoding, allowing/script injection when a user intera...

nokogiri: ReDoS in HTML encoding detection

A flaw was found in the nokogiri library when processing an inefficient and complex regular expression. This flaw allows an attacker to cause excessive consumption of resources, which affects performance...

SUSE-SU-2022:4016-1 Security update for rubygem-nokogiri

This update for rubygem-nokogiri fixes the following issues: - CVE-2022-24836: Fixes possibility to DoS because of inefficient RE in HTML encoding. bsc1198408 - CVE-2022-29181: Fixes Improper Handling of Unexpected Data Typesi. bsc1199782...

Automattic: Stored XSS in intensedebate.com via the Comments RSS

Stored XSS in intensedebate.com via the Comments RSS In our "comments.rss" file, the blog post's title reflects to the XML RSS file without any encoding. So I installed the IntenseDebate on my website https://wp.s2.cm, and created a blog post with alertdocument.domain payload on the title. Then, ...

EUVD-2022-6344

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents...

jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label

Impact Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio "refresh" on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can le...

Cross-site Scripting (XSS) - Stored in Space Name

Description Cross-site Scripting XSS - Stored in space name. Because space name is not HTML encoded, "Confirm action" modal pops up then the script is executed. Proof of Concept Step 1: Create a new Space and fill in name with this payload: "alert1. Step 2: Send an invite to victim then save. Ste...

nopCommerce Cross-Site Scripting Vulnerability (CNVD-2022-70102)

nopCommerce is an open source general-purpose e-commerce platform. nopCommerce version 4.50.1 contains a cross-site scripting vulnerability that stems from the fact that a customer's name is reflected in the response without HTML encoding, which can be exploited by an attacker to inject javascrip...

CVE-2022-24836

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri = 1.13.4. There are no known workarounds for this issue...

Nokogiri 安全漏洞

Nokogiri is an open source software library for parsing HTML and XML in Ruby. A security vulnerability exists in versions prior to Nokogiri 1.13.4 that stems from its susceptibility to excessive backtracking when attempting to detect encoding in HTML documents...

CVE-2021-27418

GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTM...

CVE-2021-27418

GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTM...

Cross site scripting

GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTM...

CVE-2021-27418

GE UR firmware prior to 8.1x exposes a web interface with read‑only access that does not properly validate user input and fails to HTML-encode user-supplied strings, enabling cross‑site scripting (CVE-2021-27418). Red Hat, NVD/NIST, and ICS references corroborate a web server input‑validation wea...

CVE-2021-27418 GE UR family input validation

GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTM...

Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting

Vulnerability Type Stored Cross Site-Scripting XSS Affected URL https://localhost/openemr-6.0.0/ /interface/super/rules/index.php?action=edit!submitsummary Affected Parameters “fldtitle” Authentication Required? Yes Issue Summary Non-privilege users accounting, front-office can create new rule an...

Cross-site Scripting (XSS)

@braintree/sanitize-url is vulnerable to cross-site scripting. The vulnerability exists due to a lack of validating HTML encoding...

OneWeb: Cross-site scripting (DOM-based)

Issue detail The application may be vulnerable to DOM-based cross-site scripting. Data is read from window.location.hash and passed to $. The exploitability of this issue might depend on the specific version of jQuery that is being used. Issue background DOM-based vulnerabilities arise when a...

CVE-2022-22546

Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence BI Launchpad - version 420...

CVE-2022-22546

Due to improper HTML encoding in input control summary, an authorized attacker can execute XSS vulnerability in SAP Business Objects Web Intelligence BI Launchpad - version 420...