CVE-2023-39955 Notes attachment render HTML in preview mode

Notes is a note-taking app for Nextcloud, an open-source cloud platform. Starting in version 4.4.0 and prior to version 4.8.0, when creating a note file with HTML, the content is rendered in the preview instead of the file being offered to download. Nextcloud Notes app version 4.8.0 contains a...

CVE-2023-3978

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack...

GHSA-JPGW-2R9M-8QFW Kiwi TCMS's misconfigured HTTP headers allow stored XSS execution with Firefox

Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing potentially dangerous files when such files are accessed...

Kiwi TCMS's misconfigured HTTP headers allow stored XSS execution with Firefox

Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing potentially dangerous files when such files are accessed...

CVE-2023-36809

Kiwi TCMS prior to version 12.5 is impacted by a stored XSS issue tied to how uploaded attachments (test plans, test cases, etc.) are served. The root cause involved an earlier attempt to treat all uploaded files as plain text to prevent script execution, but some browsers (e.g., Firefox) could i...

CVE-2023-36809 Kiwi TCMS's misconfigured HTTP headers allow stored XSS execution with Firefox

Kiwi TCMS, an open source test management system allows users to upload attachments to test plans, test cases, etc. Versions of Kiwi TCMS prior to 12.5 had introduced changes which were meant to serve all uploaded files as plain text in order to prevent browsers from executing potentially dangero...

Stored XSS via user's Full Name

Description The user's full name is rendered as HTML during user deletion. This enables an user to add Javascript code in the username which when can be executed in admin's webpage during user deletion. Proof of Concept - Login as a normal user and change the Full name to: javascript "...

Avo 跨站脚本漏洞

Avo is an open source ruby on rails admin panel creation framework from Avo Open Source. A cross-site scripting vulnerability exists in Avo version 2.33.2, 3.0.0.pre12, which stems from the vulnerability of certain avo fields to XSS attacks when rendering html-based content...

Updated webkit2 packages fix security vulnerability

HTML document may be able to render iframes with sensitive user information CVE-2022-0108 maliciously crafted web content may lead to arbitrary code execution. CVE-2022-32885 use-after-free vulnerability exists in WebCore::RenderLayer. This issue allows remote attackers to execute arbitrary code ...

Cross-Site Scripting (XSS)

XWiki is vulnerable to Cross-Site Scripting XSS attacks. The library does not properly check for dangerous attribute values in HTML rendering before it output to the front end, allowing an attacker to inject and execute malicious JavaScript on victim's browser...

GHSA-6GF5-C898-7RXP Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

Impact HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting XSS attacks via attributes and link URLs, e.g., supported in XWiki syntax. Patches This has been patched in XWiki 14.6 RC1. Workarounds There are no known workarounds apart from upgradi...

Cross site scripting

XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting XSS attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. Ther...

CVE-2023-32070 Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting XSS attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. Ther...

CVE-2023-32070

CVE-2023-32070 affects XWiki Platform’s HTML/XHTML rendering prior to version 14.6-rc-1, where dangerous attributes/attribute values were not checked, enabling XSS via attributes and link URLs in XWiki syntax. The issue is mitigated by upgrading to the fixed version (14.6-rc-1 or later); no publi...

CVE-2023-32070 Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting XSS attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. Ther...

CVE-2023-32070 Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting XSS attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. Ther...

XWiki Platform 跨站脚本漏洞

XWiki Platform is a suite of Wiki platforms from the XWiki Foundation in France for creating collaborative web applications. A security vulnerability exists in XWiki Platform versions prior to 14.6-rc-1, which stems from an HTML rendering that does not check for dangerous attributes/attribute...

CVE-2023-1836

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. When viewing an XML file in a repository in "raw" mode, it can be made to render as...

CVE-2023-23277

Snippet-box 1.0.0 is vulnerable to Cross Site Scripting XSS. Remote attackers can render arbitrary web script or HTML from the "Snippet code" form field...

CVE-2022-4862

Rendering of HTML provided by another authenticated user is possible in browser on M-Files Web before 22.12.12140.3. This allows the content to steal user sensitive information. This issue affects M-Files New Web: before 22.12.12140.3...