99 matches found
WordPress plugin Gallery Block å®å Øę¼ę“
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPress...
DRUPAL-CONTRIB-2023-042
This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy. The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value. This vulnerability is mitigated by the fact that an attacker must have ...
Decidim äæ”ęÆę³é²ę¼ę“
Decidim is a participatory democracy framework written in Ruby on Rails. An information disclosure vulnerability exists in versions of Decidim prior to 0.27.3, which stems from allowing all data attributes and associations to be filtered, allowing an unauthenticated, remote attacker to steal...
Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml
Impact The HTML sanitizer, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This can be exploited, e.g., via the link syntax in any content that supports XWiki syntax like comments in XWiki:...
CVE-2023-31126
org.xwiki.commons:xwiki-commons-xml is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect...
CVE-2023-31126 Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml
org.xwiki.commons:xwiki-commons-xml is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect...
CVE-2023-31126 Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml
org.xwiki.commons:xwiki-commons-xml is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect...
PT-2023-8607 Ā· Xwiki Ā· Xwiki-Commons-Xml
Name of the Vulnerable Software and Affected Versions: org.xwiki.commons:xwiki-commons-xml versions 14.6-rc-1 through 14.10.3 org.xwiki.commons:xwiki-commons-xml versions prior to 15.0 RC1 Description: The HTML sanitizer in the org.xwiki.commons:xwiki-commons-xml library allows the injection of...
XWiki Platform č·Øē«čę¬ę¼ę“
XWiki Platform is a suite of Wiki platforms for creating web collaboration applications from the XWiki Foundation in France. A security vulnerability exists in XWiki Platform versions 14.6-rc-1 through 14.10.4, which stems from an HTML element cleaner that accepts invalid data attributes, allowin...
CVE-2022-34838
Storing Passwords in a Recoverable Format vulnerability in ABB Zenon 8.20 allows an attacker who successfully exploit the vulnerability may add or alter data points and corresponding attributes. Once such engineering data is used the data visualization will be altered for the end user...
PT-2022-22387 Ā· Abb Ā· Abb Zenon
Name of the Vulnerable Software and Affected Versions: ABB Zenon version 8.20 Description: The issue allows an attacker to add or alter data points and corresponding attributes. Once such engineering data is used, the data visualization will be altered for the end user. Recommendations: For ABB...
ABB Zenon å®å Øę¼ę“
ABB Zenon is a secure operational data management platform from ABB Switzerland. Easily connect machines, infrastructure and production assets. ABB Zenon 8.20 and prior versions have a security vulnerability that stems from a recoverable format storage password vulnerability that can be...
Sifchain: Bootstrap library is vulnerable
Summary: The identified library bootstrap, version 4.0.0 is vulnerable Steps To Reproduce: Please upgrade to the latest version of bootstrap. Supporting Material/References: https://github.com/twbs/bootstrap/issues/28236 https://github.com/twbs/bootstrap/issues/20184 Impact XSS was possible in th...
h1-ctf: [hacky-holidays] Grinch network is down
Flag 1 As always CTF begins with a tweet: F1126838 So we are supposed to start from https://hackyholidays.h1ctf.com/ . The first flag was easy on https://hackyholidays.h1ctf.com/ I found a file named robots.txt which had the following content: User-agent: Disallow: /s3cr3t-ar3a Flag:...
GHSA-5P28-63MC-CGR9 Cross-Site Scripting bypass in html-purify
All versions of html-purify are vulnerable to cross-site scripting. The data attribute inside of object tags is not properly sanitized and allows javascript URIs leading to code execution. No fix is currently available. Consider using an alternative package until a fix is made available...
Lazysizes Cross-Site Scripting Vulnerability
lazysizes is a lightweight inert loader. It is mainly used for delayed loading of content such as images, iframes and scripts. A security vulnerability exists in lazysizes 5.2.0 and earlier versions, which stems from the program's failure to clean up the following attributes: data-vimeo,...
GitLab: Stored XSS in blob viewer
Summary I found a Stored-XSS in blob viewer when viewing a json file. In particular, when viewing an openapi file, openapiviewer is called to transfer the file's data to SwaggerUIBundle to render. SwaggerUIBundle does its job when rending graphical representation of the openapi's content. It also...
XSS vulnerabilities via data-parent, data-target, data-container in bootstrap
In Bootstrap before 4.1.2, XSS is possible in collapse data-parent attribute CVE-2018-14040, data-target property of scrollspy CVE-2018-14041, data-container property of tooltip CVE-2018-14042...
Open-Xchange: [XSS] Pasting bootstrap in mail compose
Hi. No filter for bootstrap data attributes. data-target allow any html, e.g.: - " href="" collapse - " href="" dropdown - " href="" modal Steps: 1. Create page with this code best example with dropdown, you can use my template https://secator.com/ox/bootstrap.html 2. Ctrl+A select all, Ctrl+C co...