103 matches found
CVE-2024-5668 Lightbox & Modal Popup WordPress Plugin – FooBox <= 2.7.28 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes
The Lightbox & Modal Popup WordPress Plugin – FooBox plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 2.7.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes...
WordPress FooBox plugin <= 2.7.28 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes vulnerability
Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via HTML Data Attributes vulnerability discovered by Webbernaut in WordPress Plugin FooBox Image Lightbox versions = 2.7.28...
PT-2024-36988 · WordPress · Foobox
Name of the Vulnerable Software and Affected Versions: FooBox plugin for WordPress versions up to, and including, 2.7.28 Description: The issue is related to DOM-based Stored Cross-Site Scripting via HTML data attributes due to insufficient input sanitization and output escaping on user-supplied...
WordPress Gutenberg Blocks with AI by Kadence WP plugin <= 3.2.45 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes vulnerability
Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via HTML Data Attributes vulnerability discovered by Webbernaut in WordPress Plugin Gutenberg Blocks by Kadence Blocks versions = 3.2.45...
WordPress plugin Gallery Block 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPress...
DRUPAL-CONTRIB-2023-042
This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy. The module doesn't sufficiently escape the data attribute under the scenario a user has access to manipulate that value. This vulnerability is mitigated by the fact that an attacker must have ...
Decidim 信息泄露漏洞
Decidim is a participatory democracy framework written in Ruby on Rails. An information disclosure vulnerability exists in versions of Decidim prior to 0.27.3, which stems from allowing all data attributes and associations to be filtered, allowing an unauthenticated, remote attacker to steal...
Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml
Impact The HTML sanitizer, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This can be exploited, e.g., via the link syntax in any content that supports XWiki syntax like comments in XWiki:...
CVE-2023-31126
org.xwiki.commons:xwiki-commons-xml is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect...
CVE-2023-31126 Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml
org.xwiki.commons:xwiki-commons-xml is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect...
CVE-2023-31126 Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml
org.xwiki.commons:xwiki-commons-xml is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect...
XWiki Platform 跨站脚本漏洞
XWiki Platform is a suite of Wiki platforms for creating web collaboration applications from the XWiki Foundation in France. A security vulnerability exists in XWiki Platform versions 14.6-rc-1 through 14.10.4, which stems from an HTML element cleaner that accepts invalid data attributes, allowin...
PT-2023-8607 · Xwiki · Xwiki-Commons-Xml
Name of the Vulnerable Software and Affected Versions: org.xwiki.commons:xwiki-commons-xml versions 14.6-rc-1 through 14.10.3 org.xwiki.commons:xwiki-commons-xml versions prior to 15.0 RC1 Description: The HTML sanitizer in the org.xwiki.commons:xwiki-commons-xml library allows the injection of...
CVE-2022-34838
Storing Passwords in a Recoverable Format vulnerability in ABB Zenon 8.20 allows an attacker who successfully exploit the vulnerability may add or alter data points and corresponding attributes. Once such engineering data is used the data visualization will be altered for the end user...
ABB Zenon 安全漏洞
ABB Zenon is a secure operational data management platform from ABB Switzerland. Easily connect machines, infrastructure and production assets. ABB Zenon 8.20 and prior versions have a security vulnerability that stems from a recoverable format storage password vulnerability that can be...
PT-2022-22387 · Abb · Abb Zenon
Name of the Vulnerable Software and Affected Versions: ABB Zenon version 8.20 Description: The issue allows an attacker to add or alter data points and corresponding attributes. Once such engineering data is used, the data visualization will be altered for the end user. Recommendations: For ABB...
Sifchain: Bootstrap library is vulnerable
Summary: The identified library bootstrap, version 4.0.0 is vulnerable Steps To Reproduce: Please upgrade to the latest version of bootstrap. Supporting Material/References: https://github.com/twbs/bootstrap/issues/28236 https://github.com/twbs/bootstrap/issues/20184 Impact XSS was possible in th...
h1-ctf: [hacky-holidays] Grinch network is down
Flag 1 As always CTF begins with a tweet: F1126838 So we are supposed to start from https://hackyholidays.h1ctf.com/ . The first flag was easy on https://hackyholidays.h1ctf.com/ I found a file named robots.txt which had the following content: User-agent: Disallow: /s3cr3t-ar3a Flag:...
GHSA-5P28-63MC-CGR9 Cross-Site Scripting bypass in html-purify
All versions of html-purify are vulnerable to cross-site scripting. The data attribute inside of object tags is not properly sanitized and allows javascript URIs leading to code execution. No fix is currently available. Consider using an alternative package until a fix is made available...
Lazysizes Cross-Site Scripting Vulnerability
lazysizes is a lightweight inert loader. It is mainly used for delayed loading of content such as images, iframes and scripts. A security vulnerability exists in lazysizes 5.2.0 and earlier versions, which stems from the program's failure to clean up the following attributes: data-vimeo,...