OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project

Summary The built-in "Something went wrong!" error page includes the exception message and exception traceback without escaping HTML tags, enabling injection into the page if an attacker can reliably produce an error with an attacker-influenced message. It appears that the only way to reach this...

Cross site scripting

A stored XSS vulnerability exists in the web application of Pydio through 8.2.2 that can be exploited by levering the file upload and file preview features of the application. An authenticated attacker can upload an HTML file containing JavaScript code and afterwards a file preview URL can be use...

HackerOne: Fake URL + Additional vectors for homograph attack

Hello! I would like to report about a new issue based on "@" character in URL. It shows user real URL but when he clicks "Proceed", he is redirected to another website. For example, it seems as normal HackerOne URL:...

GNU Mailman 2.1 'email' Cross Site Scripting Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/6677/info A vulnerability has been discovered in GNU Mailman. It has been reported that Mailman is prone to cross site scripting attacks. This is due to insufficient santization of URI parameters. As a result, attackers m...