13 matches found
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering of unescaped name and version metadata fields. An attacker can execute arbitrary scripts or code within the application context by submitting specially crafted package metadata. Details...
CVE-2026-45375
SiYuan’s Bazaar marketplace before version 3.7.0 renders unsanitized package metadata (name, version) from plugin.json (and equivalent theme/template/widget/icon.json) into the Marketplace UI via innerHTML. The kernel sanitizer escapes Author, DisplayName, and Description, but not Name/Version, a...
GHSA-27QC-M5GF-JV5R SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution
Summary SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in...
CVE-2026-42524
CVE-2026-42524 : Jenkins HTML Publisher Plugin 427 and earlier is vulnerable to a stored XSS due to not escaping the job name and URL in the legacy wrapper file. This can be exploited by attackers with Item/Configure permission. The public descriptions identify the affected component and the root...
PT-2026-24630
Summary A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. --- Proof of Concept Required Permissions - Admin access to edit/create Order...
PT-2022-20278 · WordPress · Slider Hero
Name of the Vulnerable Software and Affected Versions: Slider Hero WordPress plugin versions prior to 8.4.4 Description: The issue allows high-privileged users to perform Cross-Site Scripting attacks due to the lack of escaping in the slider Name. Recommendations: For versions prior to 8.4.4,...
CVE-2022-34791
Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...
CVE-2022-34188
Jenkins Hidden Parameter Plugin 0.0.4 and earlier does not escape the name and description of Hidden Parameter parameters on views displaying parameters, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers with Item/Configure permission...
Jenkins Plugin Image Tag Parameter 跨站脚本漏洞
Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is an application. Jenkins Plugin is an application that provides hundreds of plug-ins to support building, deploying, and automating any project. cross-site scripting vulnerability exists in Jenkins Image Tag Parameter Plug...
Jenkins Plugin Filesystem List Parameter 跨站脚本漏洞
Jenkins and Jenkins Plugin are both Jenkins open source products. jenkins is an application. Jenkins Plugin is an application that provides hundreds of plug-ins to support building, deploying, and automating any project. Jenkins Filesystem List Parameter Plugin version 0.0.7 and earlier versions...
knockout: Cross-site Scripting (XSS) attacks due to not escaping the name attribute.
There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it...
knockout: Cross-site Scripting (XSS) attacks due to not escaping the name attribute.
There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it...
Vimeo: XSS on vimeo.com/home after other user follows you
Description If some user follows you on Vimeo, the Name of the user appears in the header of your Home like "Name followed you. The staff posted...". The problem is that the Name is not escaped, which allows to insert HTML code. Proof of concept 1. Using the attacker's account, go to...