CVE-2025-43744

A stored DOM-based Cross-Site Scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and...

CVE-2025-54881

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML duri...

UBUNTU-CVE-2025-54881

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML duri...

The vulnerability of the platform for monitoring, managing, and improving LLM applications lies in the insufficient protection of the website structure, allowing attackers to perform cross-site scripting attacks.

The vulnerability of the platform for monitoring, managing, and improving LLM applications is related to insufficient protection of the web page structure when processing the dangerouslySetInnerHTML attribute. Exploiting this vulnerability allows a remote attacker to perform cross-site scripting...

CVE-2024-9440

Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption, the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate...

CVE-2022-4975

A flaw was found in the Red Hat Advanced Cluster Security RHACS portal. When rendering a table view in the portal, for example, on any of the /main/configmanagement/ endpoints, the front-end generates a DOM table-element id="pdf-table". This information is then populated with unsanitized data usi...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Content name pattern due to the insecure usage of innerHTML in the getTextHeight function. This is only exploitable if the user has content edit permissions. Details Cross-site scripting or XSS is a code...

PT-2024-22797

Name of the Vulnerable Software and Affected Versions: gotortc versions 1.8.5 and prior Description: gotortc is a camera streaming application. The index page index.html shows available streams by fetching the API on the client side, using Object.entries to iterate over the result, and appending...

PT-2024-22771 · Danielmiessler · Fabric

Name of the Vulnerable Software and Affected Versions: danielmiessler fabric versions 1.3.0 and earlier Description: The issue is related to innerHTML mishandling, which can lead to XSS attacks, specifically in the installer/client/gui/static/js/index.js file, such as in the htmlToPlainText...

Cross-site Scripting (XSS)

Overview TinyMCE is a web-based JavaScript HTML WYSIWYG editor control. Affected versions of this package are vulnerable to Cross-site Scripting XSS via mutation of inner HTML. An attacker can inject malicious scripts that pass the initial sanitization layer when the content is parsed into the...

PT-2023-28989 · Unknown · Bigbluebutton

Name of the Vulnerable Software and Affected Versions: BigBlueButton versions prior to 2.6.11 BigBlueButton versions prior to 2.7.0-beta.3 Description: The issue affects BigBlueButton, an open-source virtual classroom, where the Guest Lobby is vulnerable to cross-site scripting. This occurs when...

Editor.js 跨站脚本漏洞

Editor.js is a CodeX open source block style editor with clean JSON output. A cross-site scripting vulnerability exists in Editor.js versions prior to 2.26.0, which stems from easy code injection via pasted input, where the processHTML method passes pasted input to the innerHTML of the wrapper...

paste-markdown 跨站脚本漏洞

paste-markdown is a paste Markdown object. A cross-site scripting vulnerability exists in paste-markdown versions prior to 0.3.4, which stems from dynamically creating a div if the clipboard data contains the string and copying the clipboard content into its innerHTML attribute without any cleanu...

GHSA-F8RQ-M28H-8HXJ Cross-Site Scripting in htmr

Versions of htmr prior to 0.8.7 are vulnerable to Cross-Site Scripting XSS. The package uses innerHTML to unescape HTML entities. This may lead to DOM-based XSS through HTML-encoded XSS payloads. This may allow an attacker to execute arbitrary JavaScript in a victim's browser. Recommendation...

DEBIAN-CVE-2019-11744

Some HTML elements, such as title and textarea, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if...

UBUNTU-CVE-2019-11744

Some HTML elements, such as title and textarea, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if...

CVE-2019-11718

Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper...

UBUNTU-CVE-2019-11718

Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper...

CVE-2017-7799

JavaScript in the "about:webrtc" page is not sanitized properly being assigned to "innerHTML". Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting XSS attack...

django: XSS in admin's add/change related popup

A cross-site scripting XSS flaw was found in Django. An attacker could exploit the unsafe usage of JavaScript's Element.innerHTML to forge content in the admin's add/change related pop-up. Element.textContent is now used to prevent XSS data execution...