UBUNTU-CVE-2020-25814

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with javascript:payload xss and turns it into a jQuery object with mw.message.parse. The expected result is that the jQuery object does not contain an tag or it doe...

Cross site request forgery (csrf)

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with javascript:payload xss and turns it into a jQuery object with mw.message.parse. The expected result is that the jQuery object does not contain an tag or it doe...

Cross site scripting

XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even...

CVE-2020-25814

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with javascript:payload xss and turns it into a jQuery object with mw.message.parse. The expected result is that the jQuery object does not contain an tag or it doe...

CVE-2020-25814

In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with javascript:payload xss and turns it into a jQuery object with mw.message.parse. The expected result is that the jQuery object does not contain an tag or it doe...

CVE-2020-25814

CVE-2020-25814 affects MediaWiki with XSS via jQuery in mw.message().parse() for messages containing [javascript:payload xss]. Exploitable in MediaWiki before 1.31.10 and in 1.32.x–1.34.x before 1.34.4, where an link can execute when clicked. The GHSA advisory notes fixes for versions 1.31.9 and...

PT-2020-6811 · Mediawiki +1 · Mediawiki +1

Name of the Vulnerable Software and Affected Versions: MediaWiki versions 1.31.10 and earlier MediaWiki versions 1.32.x through 1.34.3 Description: An issue was discovered in the non-jqueryMsg version of mw.message.parse, which doesn't escape HTML. This affects both message contents and the...

jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods

A flaw was found in jQuery. HTML containing \ elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity...

Potential XSS in jQuery dependency in Mirador

Impact Mirador users less than v3.0.0 alpha-rc versions that have an unpatched jQuery. When adopters update jQuery they will find some of Mirador functionality to be broken. Patches Mirador adopters should update to v3.0.0, no updates exist for v2.x releases. Workarounds Yes, Mirador users could...

GHSA-HGWM-PV9H-Q5M7 Potential XSS in jQuery dependency in Mirador

Impact Mirador users less than v3.0.0 alpha-rc versions that have an unpatched jQuery. When adopters update jQuery they will find some of Mirador functionality to be broken. Patches Mirador adopters should update to v3.0.0, no updates exist for v2.x releases. Workarounds Yes, Mirador users could...

HPSBPI03688 rev. 1 - Certain HP Printer and MFP products - Cross-Site Scripting (XSS)

Potential Security Impact Cross-site Scripting XSS Source: HP, HP Product Security Response Team PSRT Reported by: The jQuery Foundation VULNERABILITY SUMMARY A potential security vulnerability has been identified for certain HP printers and MFPs. In jQuery versions before 3.5.0, passing HTML fro...

Certain HP Printers and MFP products - Cross-Site Scripting (XSS)

A potential security vulnerability has been identified for certain HP printers and MFPs. In jQuery versions before 3.5.0, passing HTML from untrusted sources may execute untrusted code. Update your printer firmware...

SUSE-SU-2020:2650-1 Security update for SUSE Manager Server 4.0

This update fixes the following issues: hibernate5: - Address CVE-2019-14900 bsc1172079 image-sync-formula: - Allow image-sync state on regular minion. Image sync state requires branch-network pillars to get the directory where to sync images. Use default /srv/saltboot if that pillar is missing s...

Security Bulletin: Multiple security vulnerabilities have been fixed in IBM Security Identity Manager Virtual Appliance

Summary IBM Security Identity Manager Virtual Appliance ISIM VA has addressed the following vulnerabilities Vulnerability Details CVEID: CVE-2014-0050 DESCRIPTION: Apache Commons FileUpload, as used in Apache Tomcat, Solr, and other products is vulnerable to a denial of service, caused by the...

Malicious Package in github-jquery-widgets

Version 0.1.2 of github-jquery-widgets contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and...

GHSA-C722-PV5W-CFG2 Malicious Package in github-jquery-widgets

Version 0.1.2 of github-jquery-widgets contained malicious code. The code when executed in the browser would enumerate password, cvc and cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment and...

Security Bulletin: IBM Kenexa LCMS Premier On Premise - [All] jQuery (Publicly disclosed vulnerability) CVEID: 180875

Summary We have identified that the IBM Kenexa LCMS Premier is affected by one or more security vulnerabilities. These have been addressed in LCMS Premier 14.0 version. Vulnerability Details Third Party Entry: 180875 DESCRIPTION: jQuery cross-site scripting CVSS Base score: 6.1 CVSS Temporal Scor...

Security Bulletin: IBM Kenexa LCMS Premier On Premise - [All] jQuery (Publicly disclosed vulnerability) CVE-2020-11023, CVE-2020-11022

Summary We have identified that the IBM Kenexa LCMS Premier is affected by one or more security vulnerabilities. These have been addressed in LCMS Premier 14.0 version. Vulnerability Details CVEID: CVE-2020-11023 DESCRIPTION: jQuery is vulnerable to cross-site scripting, caused by improper...

FreeBSD : Gitlab -- multiple vulnerabilities (1fb13175-ed52-11ea-8b93-001b217b3468)

Gitlab reports : Vendor Cross-Account Assume-Role Attack Stored XSS on the Vulnerability Page Outdated Job Token Can Be Reused to Access Unauthorized Resources File Disclosure Via Workhorse File Upload Bypass Unauthorized Maintainer Can Edit Group Badge Denial of Service Within Wiki Functionality...

Malicious Package in jquery-airload

Version 0.2.5 of jquery-airload contained malicious code. The code when executed in the browser would enumerate password, cvc, cardnumber fields from forms and send the extracted values to https://js-metrics.com/minjs.php?pl= Recommendation Remove the package from your environment. It's also...