280 matches found
Cross-site Scripting (XSS)
Overview NuGetGallery is a Core support library for NuGet Gallery Frontend and Backend. Affected versions of this package are vulnerable to Cross-site Scripting XSS through the handling of HTML element attributes. Details Cross-site scripting or XSS is a code vulnerability that occurs when an...
Cross-site Scripting (XSS)
Typo3 is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper parsing of values assigned to HTML attributes in the frontend's typolink functionality and improper encoding of error messages in the backend's filelist module when renaming files...
Cross-Site Scripting (XSS)
railsadmin is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improperly-escaped HTML title attributes in the RailsAdmin list view, which can allow attackers to inject malicious scripts. Note: While 3.1.3 is the safe version, its recommended to upgrade to 3.1.4 as the 3.1.3...
Cross Site Scripting (XSS)
zendframework/zend-form is vulnerable to Cross Site Scripting XSS. The vulnerability is due to the use of the escapeHtml helper instead of escapeHtmlAttr, leading to improper escaping of HTML attributes. An attacker can exploit this by injecting malicious code through user data or JavaScript in...
Cross-site Scripting (XSS)
zendframework/zendframework is vulnerable to Cross-site Scripting XSS. The vulnerability is due to view helpers using escapeHtml instead of escapeHtmlAttr to escape HTML attributes, which can lead to potential XSS attack vectors when user data or JavaScript is used...
CVE-2024-38356 TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
TinyMCE is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditableregexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from t...
CVE-2024-38356 TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option
TinyMCE is an open source rich text editor. A cross-site scripting XSS vulnerability was discovered in TinyMCE’s content extraction code. When using the noneditableregexp option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from t...
Cross-site Scripting (XSS)
zendframework/zend-view is vulnerable to cross-site scripting XSS. The vulnerability is due to many view helpers using escapeHtml instead of the more appropriate escapeHtmlAttr for escaping HTML attributes, which can lead to potential XSS attack vectors when user data and/or JavaScript is used to...
Zend-Navigation vulnerable to Cross-site Scripting
Many Zend Framework 2 view helpers were using the escapeHtml view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr. In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting XSS attack...
GHSA-GVPP-6JRJ-5PQC Zend-Form vulnerable to Cross-site Scripting
Many Zend Framework 2 view helpers were using the escapeHtml view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr. In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting XSS attack...
ZendFramework has potential Cross-site Scripting vector in multiple view helpers
Many Zend Framework 2 view helpers were using the escapeHtml view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr. In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting XSS attack...
GHSA-M7HR-J867-3F34 ZendFramework has potential Cross-site Scripting vector in multiple view helpers
Many Zend Framework 2 view helpers were using the escapeHtml view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr. In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting XSS attack...
Zendframework has potential Cross-site Scripting vector in multiple view helpers
Many Zend Framework 2 view helpers were using the escapeHtml view helper in order to escape HTML attributes, instead of the more appropriate escapeHtmlAttr. In situations where user data and/or JavaScript is used to seed attributes, this can lead to potential cross site scripting XSS attack...
MGASA-2024-0199 Updated python-jinja2 packages fix security vulnerabilities
It was discovered that Jinja2 incorrectly handled certain HTML attributes that were accepted by the xmlattr filter. An attacker could use this issue to inject arbitrary HTML attribute keys and values to potentially execute a cross-site scripting XSS attack...
GHSA-WP8J-C736-C5R3 TYPO3 Cross-Site Scripting Vulnerability Exploitable by Editors
It has been discovered that link tags generated by typolink functionality in the website's frontend are vulnerable to cross-site scripting - values being assigned to HTML attributes have not been parsed correctly. A valid backend user account is needed to exploit this vulnerability. As second and...
USN-6787-1 jinja2 vulnerability
It was discovered that Jinja2 incorrectly handled certain HTML attributes that were accepted by the xmlattr filter. An attacker could use this issue to inject arbitrary HTML attribute keys and values to potentially execute a cross-site scripting XSS attack...
jinja2: HTML attribute injection when passing user input as keys to xmlattr filter
A cross-site scripting XSS flaw was found in Jinja2 due to the xmlattr filter allowing keys with spaces, contrary to XML/HTML attribute standards. If an application accepts user-input keys and renders them for other users, attackers can inject additional attributes, potentially leading to XSS. Th...
jinja2: HTML attribute injection when passing user input as keys to xmlattr filter
A cross-site scripting XSS flaw was found in Jinja2 due to the xmlattr filter allowing keys with spaces, contrary to XML/HTML attribute standards. If an application accepts user-input keys and renders them for other users, attackers can inject additional attributes, potentially leading to XSS. Th...
CVE-2024-34064 Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, , or =, as each would then be interpreted as starting a separate attribute. If an application accepts keys as...
Jinja2 -- Vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
[email protected] reports: Jinja is an extensible templating engine. The xmlattr filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, /, , or =, as each would then be interpreted as starting a separate...