Agoric: Stored XSS in agoric-sdk - malicious iframes, malicious svg

Summary: add summary of the vulnerability Steps To Reproduce: shell git clone https://github.com/Agoric/agoric-sdk.git cd agoric-sdk yarn config set "strict-ssl" false -g yarn config set "registry" "http://registry.npmjs.org/" -g yarn config set "cafile" "/etc/ssl/cert.pem" -g pipenv shell yarn...

Cross-Site Scripting in node-red

Versions of node-red prior to 0.18.6 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize the name field in new items, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 0.18.6 or later...

Cross-Site Scripting in swagger-ui

Versions of swagger-ui prior to 2.2.1 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize JSON schemas, allowing attackers to execute arbitrary JavaScript using tags in the method descriptions. Recommendation Upgrade to version 2.2.1 or later...

Cross-Site Scripting in diagram-js-direct-editing

Versions of diagram-js-direct-editing prior to 1.4.3 are vulnerable to Cross-Site Scripting. The package fails to sanitize input from the clipboard, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.4.3 or later...

GHSA-8FW4-XH83-3J6Q Cross-Site Scripting in diagram-js

Versions of diagram-js prior to 3.3.1 for 3.x and 2.6.2 for 2.x are vulnerable to Cross-Site Scripting. The package fails to escape output of user-controlled input in search-pad, allowing attackers to execute arbitrary JavaScript. Recommendation If you are using diagram-js 3.x, upgrade to version...

Cross-Site Scripting (XSS)

webkit2gtk3 is vulnerable to cross-site scripting XSS. An attacker is able to inject and execute arbitrary Javascript on the user's browser by providing malicious web content...

CVE-2020-2036 PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface

A reflected cross-site scripting XSS vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could...

PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface

A reflected cross-site scripting XSS vulnerability exists in the PAN-OS management web interface. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could...

Adobe Experience Manager (AEM) Cross-Site Scripting Vulnerability (CNVD-2020-51768)

Adobe Experience Manager is an enterprise content management solution that helps you streamline the management and delivery of your content and assets. A stored cross-site scripting vulnerability exists in Adobe Experience Manager AEM. An attacker can exploit this vulnerability to execute arbitra...

Adobe Experience Manager (AEM) stored cross-site scripting vulnerability (CNVD-2020-52153)

Adobe Experience Manager is an enterprise content management solution that helps you streamline the management and delivery of your content and assets. A stored cross-site scripting vulnerability exists in Adobe Experience Manager AEM. An attacker can exploit this vulnerability to execute arbitra...

GHSA-5FF8-JCF9-FW62 Cross-Site Scripting in markdown-it-katex

All versions of markdown-it-katex are vulnerable to Cross-Site Scripting XSS. The package fails to properly escape error messages, which may allow attackers to execute arbitrary JavaScript in a victim's browser by triggering an error. Recommendation No fix is currently available. Consider using a...

Cross-Site Scripting in atlasboard-atlassian-package

All versions of atlasboard-atlassian-package prior to 0.4.2 are vulnerable to Cross-Site Scripting XSS. The package fails to properly sanitize user input that is rendered as HTML, which may allow attackers to execute arbitrary JavaScript in a victim's browser. This requires attackers being able t...

Cross-Site Scripting in nextcloud-vue-collections

Versions of nextcloud-vue-collections prior to 0.4.2 are vulnerable to Cross-Site Scripting XSS. The v-tooltip component has an insecure defaultHTML configuration that allows arbitrary JavaScript to be injected in the tooltip of a collection item. This allows attackers to execute arbitrary code i...

GHSA-VPJ4-89Q8-RH38 Cross-Site Scripting in bpmn-js-properties-panel

Versions of bpmn-js-properties-panel prior to 0.31.0 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize input in specially configured diagrams, which may allow attackers to inject arbitrary JavaScript in the embedding website. Recommendation Upgrade to version 0.31.0 or lat...

GHSA-V9WP-8R97-V6XG Cross-Site Scripting in jquery.json-viewer

Versions of jquery.json-viewer prior to 1.3.0 are vulnerable to Cross-Site Scripting XSS. The package insufficiently sanitizes user input when creating links, and concatenates the user input in an tag. This allows attackers to create malicious links with JSON payloads such as: "foo":...

GHSA-C53X-WWX2-PG96 Cross-Site Scripting in @berslucas/liljs

Versions of @berslucas/liljs prior to 1.0.2 are vulnerable to Cross-Site Scripting XSS. The package uses the unsafe innerHTML function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser. Recommendation Upgrade to version 1.0.2 or later...

CVE-2020-12058

Several XSS vulnerabilities in osCommerce CE Phoenix before 1.0.6.0 allow an attacker to inject and execute arbitrary JavaScript code. The malicious code can be injected as follows: the page parameter to catalog/admin/orderstatus.php, catalog/admin/taxrates.php, catalog/admin/languages.php,...

Cross site scripting

Several XSS vulnerabilities in osCommerce CE Phoenix before 1.0.6.0 allow an attacker to inject and execute arbitrary JavaScript code. The malicious code can be injected as follows: the page parameter to catalog/admin/orderstatus.php, catalog/admin/taxrates.php, catalog/admin/languages.php,...

GHSA-3QH4-R86R-GRVM Arbitrary JavaScript Execution in typed-function

Versions of typed-function prior to 0.10.6 are vulnerable to Arbitrary JavaScript Execution. Function names are not properly sanitized and may allow an attacker to execute arbitrary code. Recommendation Upgrade to version 0.10.6 or later...

Cross-Site Scripting in express-cart

All versions of harp are vulnerable to Cross-Site Scripting. In the admin page it is possible to inject arbitrary JavaScript as a new product option, allowing attackers to execute arbitrary code. This is limited to the admin page and does not affect other pages. Recommendation No fix is currently...