122 matches found
GHSA-4VF6-MQ7W-3HP6 Zend_Filter_StripTags vulnerable to Cross-site Scripting when comments allowed
ZendFilterStripTags contained an optional setting to allow whitelisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional...
Zend_Filter_StripTags vulnerable to Cross-site Scripting when comments allowed
ZendFilterStripTags contained an optional setting to allow whitelisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional...
golang: html/template: improper handling of HTML-like comments within script contexts
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "!" comment tokens, in contexts. This issue may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped...
golang: html/template: improper handling of HTML-like comments within script contexts
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "!" comment tokens, in contexts. This issue may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped...
golang: html/template: improper handling of HTML-like comments within script contexts
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "!" comment tokens, in contexts. This issue may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped...
BIT-DISCOURSE-2022-23549 Discourse vulnerable to bypass of post max_length using HTML comments
Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta16 on the beta and tests-passed branches, users can create posts with raw body longer than the maxlength site setting by including html comments that are not counted toward the...
golang: html/template: improper handling of HTML-like comments within script contexts
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "!" comment tokens, in contexts. This issue may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped...
ALSA-2024:0121 Moderate: container-tools:4.0 security update
The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Security Fixes: golang: archive/tar: unbounded memory consumption when reading headers CVE-2022-2879 golang: net/http/httputil: ReverseProxy should not forward unparseable query...
Moderate: Red Hat Security Advisory: skopeo security update
An update for skopeo is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the...
golang: html/template: improper handling of HTML-like comments within script contexts
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "!" comment tokens, in contexts. This issue may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped...
Generic Secret Disclosure
Most of the web applications rely on various public services to provide features to their users. In secure designs, consuming these private services will require authentication like API and private keys, username and password based credentials and similar sensitive data. Developers sometimes hard...
Cross Site Scripting (XSS)
DOMSanitizer is vulnerable to Cross Site Scripting XSS. The vulnerability is caused due to improper sanitization of HTML comments in DOMSanitizer.php. This could allow an attacker to inject malicious code via a HTML comment...
golang: html/template: improper handling of HTML-like comments within script contexts
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "!" comment tokens, in contexts. This issue may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped...
golang: html/template: improper handling of HTML-like comments within script contexts
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "!" comment tokens, in contexts. This issue may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped...
golang: html/template: improper handling of HTML-like comments within script contexts
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "!" comment tokens, in contexts. This issue may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped...
golang: html/template: improper handling of HTML-like comments within script contexts
A flaw was found in Golang. The html/template package did not properly handle HMTL-like "" comment tokens, nor hashbang "!" comment tokens, in contexts. This issue may cause the template parser to improperly interpret the contents of contexts, causing actions to be improperly escaped...
GHSA-X37V-36WV-6V6H Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml
Impact The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricte...
Cross-site Scripting (XSS)
esdoc-publish-html-plugin is vulnerable to Cross-site Scripting XSS. The vulnerability exists because the markdown function in util.js does not properly remove HTML comments, allowing an attacker to inject and execute malicious HTML content such as through the tag parameter...
SUSE CVE-2007-0537
The KDE HTML library kdelibs, as used by Konqueror 3.5.5, does not properly parse HTML comments, which allows remote attackers to conduct cross-site scripting XSS attacks and bypass some XSS protection schemes by embedding certain HTML tags within a comment in a title tag, a related issue to...
Design/Logic Flaw
Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta16 on the beta and tests-passed branches, users can create posts with raw body longer than the maxlength site setting by including html comments that are not counted toward the...