MAL-2022-2940 Malicious code in external-js-css (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5c06d2f4db7e9efc9676f195c4794c9b02fb52e277ad85db8059db8803081e15 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

UI REDRESSING

Description Clickjacking is a portmanteau of two words ‘click’ and ‘hijacking’. It refers to hijacking user’s click for malicious intent. In it, an attacker embeds the vulnerable site in an transparent iframe in attacker’s own website and overlays it with objects such as button using CSS skills...

CVE-2022-29257

Summary: CVE-2022-29257 affects Electron up to version 18.0.0-beta.6 (and older 17.2.0, 16.2.6, 15.5.5). If an attacker controls a victim app’s update server/storage, they can serve update packages that pass code signing validation but run malicious code in some components. The vulnerability aris...

CVE-2022-29257 Electron's AutoUpdater module fails to validate certain nested components of the bundle

Electron is a framework for writing cross-platform desktop applications using JavaScript JS, HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows attackers who have control over a given apps update server / update storage to serve maliciously crafte...

CVE-2022-29247

Electron is a framework for writing cross-platform desktop applications using JavaScript JS, HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames...

CVE-2022-29247

CVE-2022-29247 — Electron IPC leakage via nodeIntegrationInSubFrames . The issue affects Electron versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5. A renderer with JS execution can gain access to a new renderer process when nodeIntegrationInSubFrames is enabled, which can expose access...

CVE-2022-29247 Exposure of Resource to Wrong Sphere in Electron

Electron is a framework for writing cross-platform desktop applications using JavaScript JS, HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames...

Cross-site Scripting (XSS)

firefox is vulnerable to cross site scripting. The vulnerability exists due to a lack of sanitization of URI in CSS stylesheets allowing an attacker to inject maliciously crafted script into the system...

Nextcloud: Unauthenticated SSRF in 3rd party module "cerdic/csstidy"

Summary: The mail extension in nextcloud includes a module called "cerdic/csstidy" which basically ships with a publicly accessible test/example interface to play with the CSS formatter and optimiser /apps/mail/vendor/cerdic/css-tidy/cssoptimiser.php. This module allows contacting any remote serv...

Site Offline or Coming Soon <= 1.6.6 - Stored Cross-Site Scripting via CSRF

The plugin does not have CSRF check in place when updating its settings, and it also lacking sanitisation as well as escaping in some of them. As a result, attackers could make a logged in admin change them and put Cross-Site Scripting payloads in them via a CSRF attack "...

Is CSS Really Necessary for Responsive Web Design?

By Owais Sultan Is CSS a necessity for responsive web design? This article will help you find out if it really… This is a post from HackRead.com Read the original post: Is CSS Really Necessary for Responsive Web Design?...

Mozilla Firefox Security Feature Issue Vulnerability (CNVD-2023-06862)

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security feature issue vulnerability exists in Mozilla Thunderbird that stems from an error when handling CSS stylesheets that are accessible via internal URIs. An attacker could exploit this...

CVE-2022-31744

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR 91.11, Thunderbird 102, Thunderbird 91.11, and Firefox 101...

UBUNTU-CVE-2022-31744

An attacker could have injected CSS into stylesheets accessible via internal URIs, such as resource:, and in doing so bypass a page's Content Security Policy. This vulnerability affects Firefox ESR 91.11, Thunderbird 102, Thunderbird 91.11, and Firefox 101...

Mozilla Firefox 跨站脚本漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security feature issue vulnerability exists in Mozilla Thunderbird that stems from an error when handling CSS stylesheets that are accessible via internal URIs. An attacker could exploit this...

Mozilla Firefox < 101.0

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 101.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2022-20 advisory. - Mozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Tea...

Security Vulnerabilities fixed in Firefox 101 — Mozilla

A malicious website could have learned the size of a cross-origin resource that supported Range requests. A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash. When exiting fullscreen mode, an iframe could have...

Mozilla Firefox < 101.0

The version of Firefox installed on the remote Windows host is prior to 101.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2022-20 advisory. - Mozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Team reported...

MediaWiki makeCollapsible allows applying event handler to any CSS selector

In MediaWiki before 1.34.1, users can add various Cascading Style Sheets CSS classes which can affect what content is shown or hidden in the user interface to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler ...

GHSA-PFM2-MQWJ-GGM5 MediaWiki makeCollapsible allows applying event handler to any CSS selector

In MediaWiki before 1.34.1, users can add various Cascading Style Sheets CSS classes which can affect what content is shown or hidden in the user interface to arbitrary DOM nodes via HTML content within a MediaWiki page. This occurs because jquery.makeCollapsible allows applying an event handler ...