PT-2026-33996

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters " in the URL. HTMLPurifier called first via...

GHSA-FJPJ-6QCQ-6PW2 CI4MS has stored XSS in Pages Content Due to Missing html_purify Sanitization

Summary The Pages module does not apply the htmlpurify validation rule to content fields during create and update operations, while the Blog module does. Page content is stored unsanitized in the database and rendered as raw HTML on the public frontend via echo $pageInfo-content. An authenticated...

GHSA-4WR4-F2QF-X5WJ Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

Summary The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent t...

Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other...

EUVD-2022-4441

Malicious code in bioql PyPI...

EUVD-2022-2218

Malicious code in bioql PyPI...

EUVD-2022-2859

Malicious code in bioql PyPI...

EUVD-2022-2777

Malicious code in bioql PyPI...

anti-xss

This is a PHP library called AntiXSS, which is designed to prevent cross-site scripting XSS attacks. The library provides a set of functions to sanitize user input and protect against XSS vulnerabilities. The library is maintained by Lars Moelleken and is available on Packagist, a popular PHP...

CVE-2011-3744

HTML Purifier 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php and certain other files...

GHSA-GWPM-PM6X-H7RJ ZendFramework Cross-site Scripting vector in `Zend_Filter_StripTags`

ZendFilterStripTags is a filtering class analogous to PHP's striptags function. In addition to stripping HTML tags and selectively keeping those provided in a whitelist, it also provides the ability to whitelist specific attributes to retain per whitelisted tag. The reporter discovered that...

ZendFramework Cross-site Scripting vector in `Zend_Filter_StripTags`

ZendFilterStripTags is a filtering class analogous to PHP's striptags function. In addition to stripping HTML tags and selectively keeping those provided in a whitelist, it also provides the ability to whitelist specific attributes to retain per whitelisted tag. The reporter discovered that...

PT-2024-18978 · Unknown · Prestashop

Name of the Vulnerable Software and Affected Versions: PrestaShop versions prior to 8.1.3 PrestaShop versions prior to 1.7.8.11 Description: PrestaShop is an open-source e-commerce platform. Some event attributes are not detected by the isCleanHTML method, which could make some modules using this...

GHSA-6RM6-MJMH-86JQ HTML Purifier Cross-site Scripting (XSS) vulnerability

Cross-site scripting XSS vulnerability in HTML Purifier before 4.1.1, as used in Mahara and other products, when the browser is Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

HTML Purifier Cross-site Scripting (XSS) vulnerability

Cross-site scripting XSS vulnerability in HTML Purifier before 4.1.1, as used in Mahara and other products, when the browser is Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

GHSA-JW86-5CJF-MV79 HTML Purifier allows remote attackers to obtain sensitive information

HTML Purifier 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php and certain other files...

HTML Purifier allows remote attackers to obtain sensitive information

HTML Purifier 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php and certain other files...

GHSA-3P68-M5QW-9G9W HTML Purifier cross-site scripting (XSS) vulnerability

Multiple cross-site scripting XSS vulnerabilities in HTML Purifier before 4.1.0, when Internet Explorer is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 background-image, 2 background, or 3 font-family Cascading Style Sheets CSS property, a different...

HTML Purifier cross-site scripting (XSS) vulnerability

Multiple cross-site scripting XSS vulnerabilities in HTML Purifier before 4.1.0, when Internet Explorer is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 background-image, 2 background, or 3 font-family Cascading Style Sheets CSS property, a different...

HTML Purifier Cross-site Scripting vulnerability

Cross-site scripting XSS vulnerability in smoketests/configForm.php in HTML Purifier before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "unescaped printr output."...