CVE-2024-26148

Querybook is a user interface for querying big data. Prior to version 3.31.1, there is a vulnerability in Querybook's rich text editor that enables users to input arbitrary URLs without undergoing necessary validation. This particular security flaw allows the use of javascript: protocol which can...

PT-2025-5844 · Nuxt.Js · @Nuxtjs/Mdc

Name of the Vulnerable Software and Affected Versions: @nuxtjs/mdc versions prior to 0.13.3 Description: The issue arises from unsafe parsing logic of the URL from markdown, which can lead to arbitrary JavaScript code execution due to a bypass of the existing guards around the javascript: protoco...

CVE-2025-23210 Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheet

phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting XSS sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1....

PhpSpreadsheet allows bypassing of XSS sanitizer using the javascript protocol and special characters

Product: PhpSpreadsheet Version: 3.8.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVSS vector v.3.1: 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS vector v.4.0: 4.8 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N Description: an attack...

CVE-2024-56412

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the...

PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters

Bypass XSS sanitizer using the javascript protocol and special characters Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVSS vector v.3.1: 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS vector v.4.0:...

GHSA-Q9JV-MM3R-J47R PhpSpreadsheet allows bypass XSS sanitizer using the javascript protocol and special characters

Bypass XSS sanitizer using the javascript protocol and special characters Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVSS vector v.3.1: 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS vector v.4.0:...

CVE-2024-56412

PhpSpreadsheet vulnerability CVE-2024-56412 allows bypassing the XSS sanitizer via the javascript protocol and special characters in the Writer\Html component (generateRow). Affected versions are before 3.7.0, 2.3.5, 2.1.6, and 1.29.7. The issue can cause an attacker-created HTML link to be gener...

CVE-2024-56412 PhpSpreadsheet vulnerable to bypass of the XSS sanitizer using the javascript protocol and special characters

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the...

CVE-2024-56412 PhpSpreadsheet vulnerable to bypass of the XSS sanitizer using the javascript protocol and special characters

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters, so that the...

PhpSpreadsheet 跨站脚本漏洞

PhpSpreadsheet is an open source PHP library from PHPOffice for reading and writing spreadsheet files. PhpSpreadsheet suffers from a cross-site scripting vulnerability that stems from the ease of exploiting the javascript protocol and special characters to bypass the cross-site script cleaner...

PT-2024-67: XSS Bypass sanitizer using the javascript protocol and special characters in PhpSpreadsheet

The vulnerability was identified in PhpSpreadsheet , versions = 3.0.0, = 2.0.0, = 2.2.0, = 3.0.0, = 2.0.0, = 2.2.0, = 2.3.4 to 2.3.5 or higher Additional information: Security advisory Researcher: Aleksey Solovev Positive Technologies...

CVE-2024-51498 [@imput/cobalt-web] Cross-site Scripting when downloading picker image from malicious instance

cobalt is a media downloader that doesn't piss you off. A malicious cobalt instance could serve links with the javascript: protocol, resulting in Cross-site Scripting XSS when the user tries to download an item from a picker. This issue has been present since commit 66bac03e, was mitigated in...

CVE-2024-51498 [@imput/cobalt-web] Cross-site Scripting when downloading picker image from malicious instance

cobalt is a media downloader that doesn't piss you off. A malicious cobalt instance could serve links with the javascript: protocol, resulting in Cross-site Scripting XSS when the user tries to download an item from a picker. This issue has been present since commit 66bac03e, was mitigated in...

cobalt 跨站脚本漏洞

cobalt is an imput open source media downloader. A cross-site scripting vulnerability exists in cobalt that stems from the fact that a malicious instance of cobalt may provide links using the javascript protocol, which can lead to cross-site scripting XSS when a user attempts to download items fr...

CVE-2024-34343

Nuxt.js navigateTo is vulnerable to XSS due to faulty handling of the javascript: protocol. The issue stems from how Nuxt uses unjs/ufo for URL parsing: the sequence tests for a protocol, then parses with parseURL, but parsing javascript:alert(1) can return null/empty, and whitespace isn’t stripp...

CVE-2024-34343 Cross-site Scripting (XSS) in navigateTo if used after SSR in nuxt

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API's provided by unjs/ufo. This library also contains parsing discrepancies. The function first...

CVE-2024-34343 Cross-site Scripting (XSS) in navigateTo if used after SSR in nuxt

Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API's provided by unjs/ufo. This library also contains parsing discrepancies. The function first...

GHSA-VF6R-87Q4-2VJF nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR

Summary The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API's provided by unjs/ufo. This library also contains parsing discrepancies. Details The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL...

nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR

Summary The navigateTo function attempts to blockthe javascript: protocol, but does not correctly use API's provided by unjs/ufo. This library also contains parsing discrepancies. Details The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL...