15 matches found
EUVD-2021-29548
Malicious code in bioql PyPI...
EUVD-2022-26871
Malicious code in bioql PyPI...
CVE-2022-21649
Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create an tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "" but escaping for double quotes does not exist. Through this...
CVE-2022-21650
Convos is an open source multi-user chat that runs in a web browser. You can't use SVG extension in Convos' chat window, but you can upload a file with an .html extension. By uploading an SVG file with an html extension the upload filter can be bypassed. This causes Stored XSS. Also, after...
CVE-2022-21649 Stored XSS via attribute in convos
Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create an tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "" but escaping for double quotes does not exist. Through this...
CVE-2022-21650 Stored XSS via html file upload in convos
Convos is an open source multi-user chat that runs in a web browser. You can't use SVG extension in Convos' chat window, but you can upload a file with an .html extension. By uploading an SVG file with an html extension the upload filter can be bypassed. This causes Stored XSS. Also, after...
Cross-site Scripting (XSS) - Stored in convos-chat/convos
Description I found a way to bypass the Stored XSS via uploading File with format .svg when chatting in private conversation. Since you have filtered the content of the svg file as below: state $RULES = svg = qr Steps to Reproduce 1.After login, go to any private conversation. 2.In the chat bar,...
Cross-site Scripting (XSS) - Stored in convos-chat/convos
Description The Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "" but escaping for double quarter does not exist. Proof ...
Cross-site Scripting (XSS) - Stored in convos-chat/convos
Description The Convos is an open source multi-user chat that runs in a web browser. You can't use SVG extension in Convos' chat window, but you can upload .html extension. This causes Stored XSS. Also, after uploading a file, it does not log in, and XSS occurs even if you connect. Proof of Conce...
CVE-2021-42584
A Stored Cross Site Scripting XSS issue exists in Convos-Chat before 6.32...
CVE-2021-42584
A Stored Cross Site Scripting XSS issue exists in Convos-Chat before 6.32...
Cross site scripting
A Stored Cross Site Scripting XSS issue exists in Convos-Chat before 6.32...
CVE-2021-42584
Convos-Chat before version 6.32 contains a stored XSS (CVE-2021-42584). The vulnerability allows malicious input to be stored and potentially execute client‑side code. The public documents do not specify the exact root cause, affected subcomponents, exploit details, or a confirmed patch/version t...
CVE-2021-42584
A Stored Cross Site Scripting XSS issue exists in Convos-Chat before 6.32...
Cross-Site Request Forgery (CSRF) in convos-chat/convos
Description An attacker is able to log out a user if a logged-in user visits the attacker's website. Proof of Concept history.pushState'', '', '/' Impact This vulnerability is capable of forging users to unintentional logout. More Detail One way GET could be abused here is that a person competito...