CVE-2023-25572 React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

CVE-2023-25572 React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

CVE-2023-25572 React-Admin vulnerable to Cross-Site-Scripting attack on `<RichTextField>`

react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and usi...

CVE-2023-25572

CVE-2023-25572 concerns react-admin and related RA UI Material-UI before 3.19.12/4.7.6, where the RichTextField outputs HTML via dangerouslySetInnerHTML without client-side sanitization. If server-side data isn’t sanitized, this enables cross-site scripting (XSS) across React applications built w...

PT-2023-20171 · Unknown · Ra-Ui-Materialui +1

Name of the Vulnerable Software and Affected Versions: react-admin versions prior to 3.19.12 and 4.7.6 ra-ui-materialui versions prior to 3.19.12 and 4.7.6 Description: The issue affects all React applications built with react-admin and using the . This component outputs the field value using...

Cross-site Scripting (XSS)

dompurify is vulnerable to cross-site scripting XSS attacks. The library does not properly escape the special characters before it output to the front end, allowing an attacker to inject and execute malicious JavaScript via nested headlines...

GHSA-H6P3-P4VX-WR8Q dompurify vulnerable to Cross-site Scripting

dompurify prior to version 2.2.3 is vulnerable to a cross-site scripting problem caused by nested headlines...

dompurify vulnerable to Cross-site Scripting

dompurify prior to version 2.2.3 is vulnerable to a cross-site scripting problem caused by nested headlines...

GHSA-PGJV-JRG2-GQ3V dompurify vulnerable to Cross-site Scripting

dompurify prior to version 2.2.2 is vulnerable to cross-site scripting when converting from SVG namespace...

dompurify vulnerable to Cross-site Scripting

dompurify prior to version 2.2.2 is vulnerable to cross-site scripting when converting from SVG namespace...

PT-2023-33023 · Dompurify · Dompurify

Name of the Vulnerable Software and Affected Versions: dompurify versions prior to 2.2.3 Description: The issue is caused by nested headlines, leading to a cross-site scripting problem. Recommendations: For versions prior to 2.2.3, update to version 2.2.3 or later to resolve the issue...

PT-2023-33047 · Dompurify · Dompurify

Name of the Vulnerable Software and Affected Versions: dompurify versions prior to 2.2.2 Description: The issue is related to cross-site scripting when converting from the SVG namespace. Recommendations: For versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue...

Reflected XSS in Gotify's /docs via import of outdated Swagger UI

Impact Gotify exposes an outdated instance of the Swagger UI API documentation frontend at /docs which is susceptible to reflected XSS attacks when loading external Swagger config files. Specifically, the DOMPurify version included with this version of Swagger UI is vulnerable to a rendering XSS...

GHSA-3244-8MFF-W398 Reflected XSS in Gotify's /docs via import of outdated Swagger UI

Impact Gotify exposes an outdated instance of the Swagger UI API documentation frontend at /docs which is susceptible to reflected XSS attacks when loading external Swagger config files. Specifically, the DOMPurify version included with this version of Swagger UI is vulnerable to a rendering XSS...

PT-2023-9640

Name of the Vulnerable Software and Affected Versions DOMPurify versions prior to 2.4.2 Description The issue is related to an uncontrolled modification of object prototype attributes in the DOMPurify JavaScript library, which is used for secure cleaning and protection of HTML code. This can allo...

Dell Wyse Management Suite < 4.0 Multiple Vulnerabilities (DSA-2022-329)

The version of Dell Wyse Management Suite installed on the remote host is prior to 4.0. It is, therefore, affected by multiple vulnerabilities as referenced in the DSA-2022-329 advisory. - Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not...

JGraph draw.io 跨站脚本漏洞

JGraph draw.io is a configurable chart/whiteboard visualization application for JGraph. A cross-site scripting vulnerability exists in JGraph draw.io versions prior to 20.3.0, which stems from the application allowing the "use" tag to be passed to dompurify when "U" is imported before a "?" When...

Swagger UI 3.14.0 < 3.38.0 Cross-Site Scripting

Swagger UI is a popular library used to beautify API specifications and render it to the users. Swagger UI versions 3.14.1 to 3.37.2 suffer from a DOM Cross-Site Scripting XSS vulnerability due to an outdated DomPurify embedded library and a feature available in the Swagger UI library itself whic...

Mutation Stored XSS at homepage

Description bookwyrm HTML input sanitizer is vulnerable to Mutation XSS. The payload could be stored and displayed on the homepage of the website path /feed or /discovery making it widely affects all users and the main website. Proof of Concept Edit a book description: // PoC Access to the /feed...

GitLab: XSS: `v-safe-html` is not safe enough

v-safe-html directive uses Dompurify to remove data-remote', 'data-url', 'data-type', 'data-method' attributes from HTML tags. Rails-js relies on another attribute, data-disable-with to show a HTML content when an user clicks on a disabled link. For example, the following text will bypass the...