39 matches found
CVE-2026-44381 MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow attribute listing endpoints. The affected code accepted order or sort values from request paramete...
CVE-2026-42612
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attribute...
CVE-2026-42612
Grav: Publisher-level stored XSS in getgrav/grav due to a flawed blacklist in detectXss() that mishandles unquoted HTML event attributes. This allows arbitrary JavaScript execution via crafted content prior to 2.0.0-beta.2. The issue is fixed in Grav core on the 2.0 branch; upgrade to 2.0.0-beta....
CVE-2026-42612 Grav: Publisher-Level Stored XSS via Unquoted Event Attributes
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attribute...
GHSA-9695-8FR9-HW5Q Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes
Summary A stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attributes. Details The detectXss function relies on a...
Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes
Summary A stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attributes. Details The detectXss function relies on a...
EUVD-2022-4993
Malicious code in bioql PyPI...
Phlex vulnerable to Cross-site Scripting (XSS) via maliciously formed HTML attribute names and values
There is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. The reason these issues were not detected before is the escapes were working as designed. However, their design didn't take into account just how recklessly permissive browser are...
BIT-PRESTASHOP-2024-21627 Some attribute not escaped in Validate::isCleanHTML method
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the isCleanHTML method. Some modules using the isCleanHTML method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this...
Cross site scripting
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the isCleanHTML method. Some modules using the isCleanHTML method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this...
CVE-2024-21627 Some attribute not escaped in Validate::isCleanHTML method
PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the isCleanHTML method. Some modules using the isCleanHTML method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this...
PrestaShop Input Validation Error Vulnerability
PrestaShop is an open source e-commerce solution from PrestaShop, Inc. in the United States. The solution provides multiple payment methods, SMS alerts and product image scaling. An input validation error vulnerability exists in PrestaShop versions prior to 8.1.3, which stems from the "isCleanHTM...
PT-2024-18978 · Unknown · Prestashop
Name of the Vulnerable Software and Affected Versions: PrestaShop versions prior to 8.1.3 PrestaShop versions prior to 1.7.8.11 Description: PrestaShop is an open-source e-commerce platform. Some event attributes are not detected by the isCleanHTML method, which could make some modules using this...
external-svg-loader Cross-site Scripting vulnerability
Summary According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivially bypassed. This allows an attacker to craft a malicious SVG which can result in XSS. Details When trying to...
Dolibarr ERP and CRM contain XSS Vulnerability
The testsqlandscriptinject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS...
GHSA-QJQ9-WX5J-JRG6 Dolibarr ERP and CRM contain XSS Vulnerability
The testsqlandscriptinject function in htdocs/main.inc.php in Dolibarr ERP/CRM 6.0.4 blocks some event attributes but neither onclick nor onscroll, which allows XSS...
CVE-2018-15641
Cross-site scripting XSS issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes...
Cross site scripting
Cross-site scripting XSS issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes...
CVE-2018-15641
Cross-site scripting XSS issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes...
CVE-2018-15641
Cross-site scripting XSS issue in web module in Odoo Community 11.0 through 14.0 and Odoo Enterprise 11.0 through 14.0, allows remote authenticated internal users to inject arbitrary web script in the browser of a victim via crafted calendar event attributes...