CVE-2014-2242

includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting XSS attacks via an SVG upload, as demonstrated by use of a W...

CVE-2014-2242

includes/upload/UploadBase.php in MediaWiki before 1.19.12, 1.20.x and 1.21.x before 1.21.6, and 1.22.x before 1.22.3 does not prevent use of invalid namespaces in SVG files, which allows remote attackers to conduct cross-site scripting XSS attacks via an SVG upload, as demonstrated by use of a W...

Google Chrome XSSAuditor Filter Security Policy Bypass

A policy bypass vulnerability exists in Google Chrome. The vulnerability is due a design weakness in Chrome XSSAuditor. By inserting JavaScript in the srcdoc attribute of an IFRAME tag, the Cross-Site Scripting filter can be bypassed. An attacker can exploit this weakness to further facilitate...

Mozilla Thunderbird Multiple XSS Vulnerabilities (Feb 2014) - Windows

Mozilla Thunderbird is prone to multiple cross site scripting vulnerabilities. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

SeaMonkey Multiple XSS Vulnerabilities (Feb 2014) - Windows

SeaMonkey is prone to multiple cross site scripting vulnerabilities. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Cross site scripting

Cross-site scripting XSS vulnerability in Mozilla Thunderbird 17.x through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey before 2.20 allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data: URL in an IFRAME element, a...

CVE-2013-6674

Cross-site scripting XSS vulnerability in Mozilla Thunderbird 17.x through 17.0.8, Thunderbird ESR 17.x through 17.0.10, and SeaMonkey before 2.20 allows user-assisted remote attackers to inject arbitrary web script or HTML via an e-mail message containing a data: URL in an IFRAME element, a...

CVE-2013-6674

CVE-2013-6674 is an XSS vulnerability in Mozilla Thunderbird 17.x up to 17.0.8, Thunderbird ESR 17.x up to 17.0.10, and SeaMonkey before 2.20. The issue is triggered by an email containing a data: URL inside an IFRAME, allowing a user‑assisted remote attacker to inject arbitrary web script/HTML. ...

Design/Logic Flaw

Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the document.caretPositionFromPoint and document.elementFromPoint...

CVE-2014-1483

Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to bypass the Same Origin Policy and obtain sensitive information by using an IFRAME element in conjunction with certain timing measurements involving the document.caretPositionFromPoint and document.elementFromPoint...

PNG Image Metadata Found Leveraging iFrame Injections

Researchers have discovered a relatively new way to distribute malware that relies on reading JavaScript code stored in an obfuscated PNG file’s metadata to trigger iFrame injections. The technique makes it highly unlikely a virus scanner would catch it because the injection method is so deeply...

Modern Browser XSS Filter Evasion

Modern browsers usually have an antiXSS filter, that protects users from some of the consequences of this kind of attacks. Normally, they block cross site scripting execution, so the "injected" code normally, JavaScript or HTML is not executed inside victim's browser. Chrome calls this filter...

XSS Filter Bypass Bug Found in Chrome and Safari

There is a bug in the anti-cross site scripting filter in Chrome and Safari that enables an attacker to bypass the filter in some cases and use an XSS flaw on a given site to compromise visitors’s machines. The vulnerability is fairly simple to exploit and a researcher has posted proof-of-concept...

Patched Microsoft Office 365 XSS Vulnerability Disclosed

A researcher in the UK disclosed the details of a serious cross-site scripting vulnerability in Office 365 that would allow an attacker with a mailbox on Office 365 to gain administrator rights over the Microsoft Web-based application in an organization. An exploit in an enterprise environment...

Feedburner Hosting Malicious JavaScript Dropper

A sub-domain of Google’s Feedburner RSS management platform is hosting a string of malicious JavaScript embedded with an iFrame, all of which is designed to upload a Trojan onto user machines and redirect visitors to a series of malicious sites. According to a report published by the security fir...

CVE-2013-6328

Cross-site scripting XSS vulnerability in the Web Content Manager WCM UI in IBM WebSphere Portal 6.1.0.x through 6.1.0.6 CF27, 6.1.5.x through 6.1.5.3 CF27, 7.0.0.x through 7.0.0.2 CF26, and 8.0.0.x before 8.0.0.1 CF09 allows remote attackers to inject arbitrary web script or HTML via vectors...

CVE-2013-6328

The CVE-2013-6328 entry describes a Cross-site scripting (XSS) flaw in the Web Content Manager (WCM) UI of IBM WebSphere Portal. Affected products span IBM WebSphere Portal 6.1.0.x (up to 6.1.0.6 CF27), 6.1.5.x (up to 6.1.5.3 CF27), 7.0.0.x (up to 7.0.0.2 CF26), and 8.0.0.x (before 8.0.0.1 CF09)....

iScripts MultiCart 2.4 - Persistent Cross-Site Scripting Cross-Site Request Forgery Cross-Site Scripting Cross-Site Request Forgery Mass Accounts Takeover

iScripts MultiCart 2.4 - Persistent Cross-Site Scripting Cross-Site Request Forgery Cross-Site Scripting Cross-Site Request Forgery Mass Accounts Takeover Exploit Title : iScripts MultiCart same product id for which you submited the review. Cross-site request forgery body...

iScripts MultiCart 2.4 Cross Site Request Forgery / Cross Site Scripting

Exploit Title : iScripts MultiCart same product id for which you submited the review. Cross-site request forgery input type=hidden size=30 maxlengt...

Ubuntu 12.04 LTS / 12.10 / 13.04 / 13.10 : firefox vulnerabilities (USN-2052-1)

Ben Turner, Bobby Holley, Jesse Ruderman, Christian Holler and Christoph Diehl discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or...