Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the rendering of unescaped name and version metadata fields. An attacker can execute arbitrary scripts or code within the application context by submitting specially crafted package metadata. Details...

GHSA-27QC-M5GF-JV5R SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

Summary SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HTML escaping. The kernel-side helper sanitizePackageDisplayStrings in...

DEBIAN-CVE-2018-10102

Before WordPress 4.9.5, the version string was not escaped in the getthegenerator function, and could lead to XSS in a generator tag...

WordPress Cross-Site Scripting Vulnerability (CNVD-2018-08609)

WordPress is a blogging platform developed using the PHP language by the WordPress Software Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the generator tag in WordPress versions prior to 4.9.5, which...