Cross Site Scripting(XSS)

wireui/wireui is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the lack of proper sanitization or escaping of user input in the label query parameter of the /wireui/button endpoint, which allows malicious actors to inject JavaScript and execute arbitrary code in the victim's...

CVE-2024-45803

Wire UI (wireui/wireui) for Laravel/Livewire is affected by an XSS in the /wireui/button endpoint via the label query parameter. The input is not properly sanitized, allowing injected JavaScript to execute in the victim’s browser, with potential session hijacking, user impersonation, phishing, or...

CVE-2024-45803 Cross site scripting (XSS) Vulnerability on route /wireui/button?label=Content in wireui

Wire UI is a library of components and resources to empower Laravel and Livewire application development. A potential Cross-Site Scripting XSS vulnerability has been identified in the /wireui/button endpoint, specifically through the label query parameter. Malicious actors could exploit this...

CVE-2024-45803 Cross site scripting (XSS) Vulnerability on route /wireui/button?label=Content in wireui

Wire UI is a library of components and resources to empower Laravel and Livewire application development. A potential Cross-Site Scripting XSS vulnerability has been identified in the /wireui/button endpoint, specifically through the label query parameter. Malicious actors could exploit this...

Wire UI 安全漏洞

Wire UI is a component and repository of Wire UI open source. It is used to support Laravel and Livewire application development. Wire UI has a security vulnerability that stems from insufficient cleaning or escaping of user input. An attacker can exploit the vulnerability to inject malicious...

CVE-2024-45799

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a...

CVE-2024-45799 Javascript Injection in Vending Info/Buyers Info Module in FluxCP

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a...

CVE-2024-45799

Affected software: FluxCP web-based control panel for rAthena servers. Vulnerability: JavaScript injection via un sanitised content on venders/buyers list pages and shop names. Root cause / how it works: Unsanitised data in the shop-related pages allows injecting arbitrary JavaScript code that is...

CVE-2024-45799 Javascript Injection in Vending Info/Buyers Info Module in FluxCP

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a...

CVE-2024-45799 Javascript Injection in Vending Info/Buyers Info Module in FluxCP

FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a...

PT-2024-31780 · Fluxcp · Fluxcp

Name of the Vulnerable Software and Affected Versions: FluxCP versions prior to 1.3 Description: A JavaScript injection is possible via vendors/buyers list pages and shop names that are not sanitized, allowing the execution of arbitrary JavaScript code on the user's browser. This can result in th...

SnappyMail 跨站脚本漏洞

SnappyMail is a simple, modern, lightweight and fast web-based e-mail client from Maarten Personal Developers. A cross-site scripting vulnerability exists in SnappyMail versions prior to v2.38.0, which stems from the cleanHtml function allowing too many invalid HTML elements. An attacker can...

CVE-2024-45592

auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because %sourcelabel% in twig macro is not escaped. Therefore script...

CVE-2024-45592

CVE-2024-45592 affects auditor-bundle (formerly DoctrineAuditBundle) used with Symfony 3.4+. The root cause is an unescaped %source_label% in the Twig macro, permitting Javascript injection and execution. Evidence across sources confirms this XSS vector and that patches are available in versions ...

CVE-2024-45592 auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped

auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because %sourcelabel% in twig macro is not escaped. Therefore script...

CVE-2024-45592 auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped

auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because %sourcelabel% in twig macro is not escaped. Therefore script...

auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped

Summary Unescaped entity property enables Javascript injection. Details I think this is possible because %sourcelabel% in twig macro is not escaped. Therefore script tags can be inserted and are executed. PoC - clone example project https://github.com/DamienHarper/auditor-bundle-demo - create...

GHSA-78VG-7V27-HJ67 auditor-bundle vulnerable to Cross-site Scripting because name of entity does not get escaped

Summary Unescaped entity property enables Javascript injection. Details I think this is possible because %sourcelabel% in twig macro is not escaped. Therefore script tags can be inserted and are executed. PoC - clone example project https://github.com/DamienHarper/auditor-bundle-demo - create...

auditor-bundle 跨站脚本漏洞

auditor-bundle is a tool by Damien Harper Personal Developer. A cross-site scripting vulnerability exists in auditor-bundle versions prior to 6.0.0, which stems from an unescaped entity attribute that enables Javascript injection...

ALPINE-CVE-2023-39333

Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability...