GHSA-9695-8FR9-HW5Q Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes

Summary A stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attributes. Details The detectXss function relies on a...

Cross site scripting

Multiple cross-site scripting XSS vulnerabilities in Six Apart Movable Type MT before 4.23 allow remote attackers to inject arbitrary web script or HTML via a 1 MTEntryAuthorUsername, 2 MTAuthorDisplayName, 3 MTEntryAuthorDisplayName, or 4 MTCommenterName field in a Profile View template; a 5...