GHSA-Q98M-7W8C-W388 Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component

Summary Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows...

GitLab: Stored XSS on issue comments and other pages which contain notes

Summary This report contains two XSS sanitization bypasses: The SyntaxHighlightFilter creates html from unsanitized data. This can be used to bypass the XSS filter on the server-side. ruby def highlightnodenode ... sourcepos = node.parent.attr'data-sourcepos' ... sourceposattr = sourcepos ?...