CVE-2022-31024 Federated editing allows iframing remote servers by default in richdocuments

richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fi...

Mozilla: Browser window spoof using fullscreen mode

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when exiting fullscreen mode, an iframe could have confused the browser about the current state of the fullscreen, resulting in potential user confusion or spoofing attacks...

Mozilla: Browser window spoof using fullscreen mode

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when exiting fullscreen mode, an iframe could have confused the browser about the current state of the fullscreen, resulting in potential user confusion or spoofing attacks...

Mozilla: Browser window spoof using fullscreen mode

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when exiting fullscreen mode, an iframe could have confused the browser about the current state of the fullscreen, resulting in potential user confusion or spoofing attacks...

Mozilla: Browser window spoof using fullscreen mode

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when exiting fullscreen mode, an iframe could have confused the browser about the current state of the fullscreen, resulting in potential user confusion or spoofing attacks...

Mozilla: Browser window spoof using fullscreen mode

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when exiting fullscreen mode, an iframe could have confused the browser about the current state of the fullscreen, resulting in potential user confusion or spoofing attacks...

Mozilla: Browser window spoof using fullscreen mode

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when exiting fullscreen mode, an iframe could have confused the browser about the current state of the fullscreen, resulting in potential user confusion or spoofing attacks...

CVE-2022-31738

When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects Thunderbird 91.10, Firefox 101, and Firefox ESR 91.10...

UBUNTU-CVE-2022-31738

When exiting fullscreen mode, an iframe could have confused the browser about the current state of fullscreen, resulting in potential user confusion or spoofing attacks. This vulnerability affects Thunderbird 91.10, Firefox 101, and Firefox ESR 91.10...

Mozilla Firefox < 101.0

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 101.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2022-20 advisory. - Mozilla developers Gabriele Svelto, Timothy Nikkel, Randell Jesup, Jon Coppeard, and the Mozilla Fuzzing Tea...

Mozilla Thunderbird < 91.10

The version of Thunderbird installed on the remote Windows host is prior to 91.10. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2022-22 advisory. - Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla Fuzzing Team reported memory safety bugs...

Cross-site Scripting (XSS)

Overview UmbracoCms.Core is an ASP.NET CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper user-input sanitization. An authenticated user can inject arbitrary JavaScript code into IFrames when editing content using the TinyMCE rich-text editor, as...

xdlocalstorage does not verify request origin

An issue was discovered in xdLocalStorage through 2.0.5. The postData function in xdLocalStoragePostMessageApi.js specifies the wildcard as the targetOrigin when calling the postMessage function on the parent object. Therefore any domain can load the application hosting the "magical iframe" and...

GHSA-4QQ9-QG7J-FCM9 Dolibarr Cross-Site Request Forgery (CSRF)

An issue was discovered in Dolibarr. A user can store an IFRAME element containing a user/card.php CSRF request in his Linked Files settings page. When visited by the admin, this could completely take over the admin account. The protection mechanism for CSRF is to check the Referer header; howeve...

Debian DLA-3020-1 : thunderbird - LTS security update

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3020 advisory. Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code. For Debian 9 stretch, these...

New Unpatched Bug Could Let Attackers Steal Money from PayPal Users

A security researcher claims to have discovered an unpatched vulnerability in PayPal's money transfer service that could allow attackers to trick victims into unknowingly completing attacker-directed transactions with a single click. Clickjacking, also called UI redressing, refers to a technique...

Vulnerability of the isolated iframe environment in Firefox web browsers, Firefox ESR, and Thunderbird email client, allowing attackers to circumvent existing security restrictions

The vulnerability in the isolated iframe environment of Firefox web browsers, Firefox ESR, and the Thunderbird email client is related to an incorrect limitation on the number of visible layers or frames. Exploiting this vulnerability allows a malicious actor to bypass existing security...

openSUSE: Security Advisory for MozillaFirefox (SUSE-SU-2022:1748-1)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

CVE-2019-13075

Tor Browser through 8.5.3 has an information exposure vulnerability. It allows remote attackers to detect the browser's language via vectors involving an IFRAME element, because text in that language is included in the title attribute of a LINK element for a non-HTML page. This is related to a...

Cross site scripting

GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 inclusive are vulnerable to a Document Object Model DOM-based cross-site scripting attack via a pipeline run's Stage Details Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script tha...