205 matches found
Cross site scripting
In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the tagName property of an Ember.View was inserted into such a string without being sanitized. This means that if an application assigns a view's tagName to...
GHSA-2589-W6XF-983R Cross-site scripting in react-bootstrap-table
All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting XSS via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output...
GHSA-QH7X-J4V8-QW5W Clipboard-based XSS
Impact XSS against the user. Details jsuites is vulnerable to DOM based XSS if the user can be tricked into copying anything from a malicious and pasting it into the html editor. This is because a part of the clipboard content is directly written to innerHTML causing XSS. References The Curious...
CVE-2021-37700
@github/paste-markdown is an npm package for pasting markdown objects. A self Cross-Site Scripting vulnerability exists in the @github/paste-markdown before version 0.3.4. If the clipboard data contains the string , a div is dynamically created, and the clipboard content is copied into its...
CVE-2021-23398
All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting XSS via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output...
Cross-Site Scripting (XSS)
vis-timeline is vulnerable to cross-site scripting. An attacker is able to inject malicious code into the innerHTML property element...
Cross-site Scripting (XSS)
firefox is vulnerable to cross-site scripting XSS. The vulnerability exists when pasting a tag from the clipboard into a rich text editor, and the CSS sanitizer does not escape characters, and when a webpage subsequently copies the node's innerHTML, and assigns it to another innerHTML...
Cross-site Scripting (XSS)
firefox is vulnerable to cross-site scripting XSS. JavaScript in the "about:webrtc" page is not sanitized properly being assigned to "innerHTML". Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could...
Cross-site Scripting (XSS)
Activity Stream is vulnerable to cross-site scripting XSS. It can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Strea...
GHSA-R3XC-47QG-H929 Cross-Site Scripting in @ionic/core
Versions of @ionic/core prior to 4.0.3, 4.1.3, 4.2.1 or 4.3.1 are vulnerable to Cross-Site Scripting XSS. The package uses the unsafe innerHTML function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser. This issue affects the components: ...
GHSA-C53X-WWX2-PG96 Cross-Site Scripting in @berslucas/liljs
Versions of @berslucas/liljs prior to 1.0.2 are vulnerable to Cross-Site Scripting XSS. The package uses the unsafe innerHTML function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser. Recommendation Upgrade to version 1.0.2 or later...
Cross-site Scripting (XSS)
qunit is vulnerable to cross-site scripting XSS. The vulnerability exists as it does not escape the value of details.source in innerHTML of reporter/html.js...
Cross-site Scripting (XSS)
Overview lazysizes is a fast jank-free, SEO-friendly and self-initializing lazyloader for images including responsive images picture/srcset, iframes, scripts/widgets and much more. It also prioritizes resources by differentiating between crucial in view and near view elements to make perceived...
Cross-Site Scripting (XSS)
bleach is vulnerable to cross-site scripting XSS. Invocation of bleach.clean method with a scripting parameter set to FALSE and a raw tags such as title, textarea, script, style, noembed, noframes, iframe, xmp allows BleachHTMLParser to process user-contributed content using innerHTML property,...
Mozilla: CSS sanitization does not escape HTML tags
When pasting a style tag from the clipboard into a rich text editor, the CSS sanitizer does not escape and characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently...
Mozilla: CSS sanitization does not escape HTML tags
When pasting a style tag from the clipboard into a rich text editor, the CSS sanitizer does not escape and characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently...
Mozilla: CSS sanitization does not escape HTML tags
When pasting a style tag from the clipboard into a rich text editor, the CSS sanitizer does not escape and characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently...
Mozilla: CSS sanitization does not escape HTML tags
When pasting a style tag from the clipboard into a rich text editor, the CSS sanitizer does not escape and characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently...
Mozilla: CSS sanitization does not escape HTML tags
When pasting a style tag from the clipboard into a rich text editor, the CSS sanitizer does not escape and characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently...
Mozilla: CSS sanitization does not escape HTML tags
When pasting a style tag from the clipboard into a rich text editor, the CSS sanitizer does not escape and characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently...