CVE-2020-5224

In Django User Sessions django-user-sessions before 1.7.1, the views provided allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the...

Session key exposure through session list in Django User Sessions

Impact The views provided by django-user-sessions allow users to terminate specific sessions. The session key is used to identify sessions, and thus included in the rendered HTML. In itself this is not a problem. However if the website has an XSS vulnerability, the session key could be extracted ...

jenkins: XSS vulnerability in combobox form control

In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox form control interpreted its item labels as HTML, resulting in a stored XSS vulnerability exploitable by users with permission to define its contents...

CVE-2019-19916

In Midori Browser 0.5.11 on Windows 10, Content Security Policy CSP is not applied correctly to all parts of multipart content sent with the multipart/x-mixed-replace MIME type. This could result in script running where CSP should have blocked it, allowing for cross-site scripting XSS and other...

Improper sanitization of HTML in directory names (NC-SA-2019-009)

Some basic HTML tags were rendered as Markup in directory names...

CloudBees Jenkins Git Changelog Plugin Cross-Site Scripting Vulnerability

CloudBees Jenkins formerly known as Hudson Labs is a set of Java-based continuous integration tools from CloudBees, Inc. that are used to monitor ongoing software releases/testing projects and some timed tasks.The Git Changelog Plugin is one of the tools used to create a changelog or release note...

CVE-2018-1000426

A cross-site scripting vulnerability exists in Jenkins Git Changelog Plugin 2.6 and earlier in GitChangelogSummaryDecorator/summary.jelly, GitChangelogLeftsideBuildDecorator/badge.jelly, GitLogJiraFilterPostPublisher/config.jelly, GitLogBasicChangelogPostPublisher/config.jelly that allows attacke...

Cross site scripting

A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins...

CVE-2018-6341

CVE-2018-6341 (React/XSS) : The IBM bulletin confirms a vulnerability in React where rendering HTML via ReactDOMServer fails to escape user-supplied attribute names, enabling cross-site scripting. Affected versions are React 16.0.x through 16.4.x; the issue arises from improper validation/escapin...

Cross-site Scripting (XSS)

jingo is vulnerable to cross-site scripting XSS attacks. The vulnerability exists due to the lack of proper defaults, allowing all HTML to be rendered in markdown by default, causing XSS attacks...

January 26, 2017—KB 3216755 (OS Build 14393.726)

January 26, 2017—KB 3216755 OS Build 14393.726 Improvements and fixes This release is only available on the Microsoft Update Catalog website This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Addressed a known issu...

Cross-Site Scripting (XSS)

fuelux is vulnerable to cross-site scripting XSS vulnerability. It is possible because it allows the name parameter of DE in the email admin screen to directly render as HTML...

CVE-2016-8634

A vulnerability was found in foreman 1.14.0. When creating an organization or location in Foreman, if the name contains HTML then the second step of the wizard /organizations/id/step2 will render the HTML. This occurs in the alertbox on the page. The result is a stored XSS attack if an...

Reverb.com: XSS in buying and selling pages, can created spoofed content (false login message)

Previously this issue was resolved at another location in report 351376 After spending more time searching the website, I found additional areas where this problem persists: https://sandbox.reverb.com/my/buying/orders?query= https://sandbox.reverb.com/my/selling/listings?query=...

Cross-site Scripting (XSS)

Moodle is vulnerable to cross-site scripting XSS attacks. A malicious user can inject and execute arbitrary JavaScript by uploading a zip file through the assignment submission function. This results in text and HTML being rendered during a download all action...

Microsoft Internet Explorer Elevation of Privilege Vulnerability (CVE-2017-0154)

Original link: a Broken Browser Original author: Manuel Caballero Translation: Holic know Chong Yu 404 security lab Today we know from Internet Explorer since the birth there has been function. This feature allows the Web Developer instance of the external object, and therefore be the attacker to...

[SECURITY] Fedora 23 Update: kf5-kdewebkit-5.24.0-1.fc23

KDE Frameworks 5 Tier 3 integration module for the HTML rendering engine We bKit...

[SECURITY] Fedora 24 Update: kf5-kdewebkit-5.24.0-1.fc24

KDE Frameworks 5 Tier 3 integration module for the HTML rendering engine We bKit...

Microsoft Internet Explorer Cmarkup Memory Misreference Vulnerability

Microsoft Internet Explorer IE is a Web browser developed by the American company Microsoft and is the default browser that comes with the Windows operating system. A memory misreference vulnerability exists in Microsoft Internet Explorer Cmarkup, due to a failure to properly handle CMarkup in...

Metasploit Exploit Module for IE Zero-Day Vulnerability

It’s been 14 days since Microsoft issued an advisory and temporary mitigation for a zero-day vulnerability in Internet Explorer, one being actively exploited in the wild and called by some experts as severe a browser bug as you can have. Yet users have since had little more to shield them from...