PT-2022-19682 · Misp · Misp

Name of the Vulnerable Software and Affected Versions: MISP versions prior to 2.4.158 Description: The issue is related to a Cross-Site Scripting XSS vulnerability in the cerebrate view. This occurs when one administrator enters a javascript: URL in the URL field, and another administrator clicks...

CVE-2022-24723 Improper Input Validation in URI.js

URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse ca...

CVE-2022-25256

SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRender.do has two parameters: saspfsrequestbacklabellist and saspfsrequestbackurllist. The first one affects the content of the button placed in the top left. The second affects the page to which the user is directed after pressing...

CVE-2021-45472

In MediaWiki through 1.37, XSS can occur in Wikibase because an external identifier property can have a URL format that includes a $1 formatter substitution marker, and the javascript: URL scheme among others can be used...

Mozilla Firefox Security Advisory (MFSA2012-16) - Linux

This host is missing a security update for Mozilla Firefox. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; y...

CVE-2021-39307

PDFTron's WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code...

CVE-2021-24467

The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the...

Cross-site Scripting in OWASP AntiSamy

OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer XHTML is not affected. This was demonstrated by a javascript: URL with &00058 as the replacement for the : character...

CVE-2021-35043

A flaw was found in AnitSamy, where it allows a Cross-site Scripting attack XSS via HTML attributes when using the HTML output serializer XHTML is not affected. This issue was demonstrated by a javascript: URL with : as the replacement for the : character. The highest threat from this vulnerabili...

Cross site scripting

OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer XHTML is not affected. This was demonstrated by a javascript: URL with &00058 as the replacement for the : character...

UBUNTU-CVE-2021-35043

OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer XHTML is not affected. This was demonstrated by a javascript: URL with &00058 as the replacement for the : character...

CVE-2021-35043

OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer XHTML is not affected. This was demonstrated by a javascript: URL with &00058 as the replacement for the : character...

Brave Software: XSS on Brave Today through custom RSS feed

A vulnerability was discovered in Brave iOS's custom RSS feed feature that allowed for cross-site scripting XSS attacks. Attackers could add a malicious RSS feed containing a javascript: URL, which could execute arbitrary code when a user clicked on a link in Brave Today. The vulnerability was...

react-draft-wysiwyg 跨站脚本漏洞

react-draft-wysiwyg is an application. Wysiwyg editor built with ReactJS and DraftJS libraries. A cross-site scripting vulnerability exists in react-draft-wysiwyg versions prior to 1.14.6, which stems from allowing a javascript: URi in decorators/Link/index.js...

PYSEC-2021-114

Wagtail is a Django content management system. In affected versions of Wagtail, when saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could...

EulerOS 2.0 SP2 : python-lxml (EulerOS-SA-2021-1352)

According to the versions of the python-lxml package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scriptin...

Nextcloud Server Cross-Site Scripting Vulnerability (CNVD-2021-09293)

Nextcloud is a set of client-server software for creating file hosting services and using them.Nextcloud Server is the server software. A cross-site scripting vulnerability exists in versions prior to Nextcloud Server 20.0.2, 19.0.5, and 18.0.11. The vulnerability stems from a lack of link...

Stored XSS in markdown file with Nextcloud Talk using Internet Explorer (NC-SA-2021-002)

A missing link validation in Nextcloud Server 20.0.1 allowed to execute a stored XSS attack on Internet Explorer users by saving a javascript url in a Markdown...

CVE-2020-6808

When a JavaScript URL javascript: is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document's URL as reported by the document.location property, for example was the originating javascript: URL which could lead to...

CVE-2020-6808

When a JavaScript URL javascript: is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document's URL as reported by the document.location property, for example was the originating javascript: URL which could lead to...