Opera 9.60 - Persistent Cross-Site Scripting

Opera 9.60 - Persistent Cross-Site Scripting ======================================================================= = Opera Stored Cross Site Scripting Vulnerability = = Vendor Website: = http://www.opera.com = = Affected Version: = -- All desktop versions = = Public disclosure on 22nd October...

opera-storedxss.txt

======================================================================= = Opera Stored Cross Site Scripting Vulnerability = = Vendor Website: = http://www.opera.com = = Affected Version: = -- All desktop versions = = Public disclosure on 22nd October 2008 =...

多款RSS阅读器出现XSS漏洞

IE和OPERA对RSS中item下的description标签内容，解析过程如下： 首先使用HTML编码对内容解密（例：‘’解析为‘’），之后执行其中HTML代码。 这种解析方式导致一些RSS阅读工具对此过滤不严，出现XSS漏洞。 INTERNET EXPLORER ver= IE7 OPERA ver =9.52 新浪点点通1.1.0.8 目前最高 周博通4.028031409 目前最高 遨游2.1.4.443（目前最高） RSS侧边栏 等待厂商升级 在description标签的内容中输入HTML编码后的JS代码，例如： ?xml version="1.0"...

XSS bug: usernames not HTML-encoded in all places

When signing up for an account, it is possible to enter a username like "fred". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting XSS attacks. Two places I've spotted the raw HTML so far: - Most prominently, when ...

XSS bug: usernames not HTML-encoded in all places

When signing up for an account, it is possible to enter a username like "fred". Confluence will accept this, and on certain pages, render it as raw HTML to the user, opening the possibility of cross-site scripting XSS attacks. Two places I've spotted the raw HTML so far: - Most prominently, when ...

CVE-2006-2420

CVE-2006-2420 affects Bugzilla 2.20rc1 through 2.20 and 2.21.1 when using RSS 1.0, enabling remote XSS via a title element containing HTML-encoded sequences (e.g., ">") that are decoded by some RSS readers. The issue is described as stemming from RSS design/documentation inconsistencies or RSS...

CVE-2003-0712

The CVE-2003-0712 issue is an XSS vulnerability in Microsoft Exchange Server 5.5 Outlook Web Access (OWA). The root cause is improper HTML encoding in the Compose New Message form, which could allow an attacker to craft a link or email that, when clicked by a user, executes script in the user’s b...

Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (Microsoft Security Bulletin MS03-047)

From Microsoft Security Bulletin MS03-047: A cross-site scripting XSS vulnerability results due to the way that Outlook Web Access OWA performs HTML encoding in the Compose New Message form. An attacker could seek to exploit this vulnerability by having a user run script on the attacker's behalf...

Microsoft Security Bulletin MS03-047

Microsoft Security Bulletin MS03-047 Print Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack 828489 Issued: October 15, 2003 Version Number: 1.0 Summary Who Should Read This Document: System administrators who have servers running Microsoft® Exchange...

VBulletin Preview Message - XSS Vuln

------------------------------------------------------ VBulletin Private Message "Preview Message" XSS Vulnerability ------------------------------------------------------ Any kind of XSS attacks possibility. ------------------------------------------------------ About VBulletin;...

Microsoft MSN Messenger 1 4 - Malformed Invite Request Denial of Service

Microsoft MSN Messenger 1 4 - Malformed Invite Request Denial of Service source: https://www.securityfocus.com/bid/4827/info Microsoft's MSN Messenger is an instant messenging client for Windows based machines, based on the Passport system. A vulnerability has been reported in some versions of MS...