Vite dev server - Cross-Site Scripting

Vite's dev server, when used with appType: 'custom' and manually invoking server.transformIndexHtml using the unmodified request URL, is vulnerable to XSS via a crafted URL payload. If the HTML being served includes an inline module script ..., an attacker can inject a script via the URL,...

EUVD-2021-24830

Malware in sbrugna...

EUVD-2023-3168

Malicious code in bioql PyPI...

GHSA-92R3-M2MG-PJ97 Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Summary When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transformed output by supplying a...

Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Summary When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transformed output by supplying a...

CVE-2023-49293

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transforme...

Design/Logic Flaw

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transforme...

CVE-2023-49293 Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transforme...

CVE-2023-49293 Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transforme...

PT-2023-7610

Name of the Vulnerable Software and Affected Versions Vite versions prior to 4.4.12 Vite versions prior to 4.5.1 Vite versions prior to 5.0.5 Description The issue is related to Vite's HTML transformation when invoked manually via server.transformIndexHtml. If the original request URL is passed i...

CVE-2021-38377

OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results...

CVE-2021-38377

OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results...

Design/Logic Flaw

OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because there is a predictable UUID with HTML transformation results...

CVE-2017-5223

An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTML method applies transformations to an HTML document to make it usable as an email message body. One of the transformations is to convert relative image URLs into attachments using a script-provided base directory. If no base...

Cross-site Scripting (XSS)

collective.tablepage is vulnerable to cross-site scripting XSS attacks. These attacks are possible because the data from the text cells is transformed directly into HTML without any checks or escaping...