Nextcloud: Stored XSS in attachment-display exploitable through SameSite

A stored XSS vulnerability was discovered in the attachment-display feature of Roundcube. By uploading an HTML file and opening it through the display-attachment endpoint, the embedded script could execute under the Roundcube origin. The issue was caused by the lack of a restrictive Content...

CVE-2025-55032

Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks. This vulnerability was fixed in Focus for iOS 142...

CVE-2025-55032 Focus incorrectly ignores Content-Disposition headers for some MIME types

Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks. This vulnerability was fixed in Focus for iOS 142...

CVE-2024-24574

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side XSS. This vulnerability has been patched in version 3.2.5...

Fedora 24 : roundcubemail (2016-60753c3dcd)

Version 1.2.3 - Searching in both contacts and groups when LDAP addressbook with groupfilters option is used - Fix vulnerability in handling of mail's 5th argument - Fix To: header encoding in mail sent with mail method 5475 - Fix flickering of header topline in min-mode 5426 - Fix bug where...