CVE-2024-29154

Fabric (danielmiessler) up to version 1.3.0 is affected by an XSS flaw in installer/client/gui/static/js/index.js due to innerHTML mishandling in htmlToPlainText. Impact described as cross-site scripting; no exploit details are provided in the documents. A PT-2024-22771 advisory suggests mitigati...

CVE-2023-43797 BigBlueButton Stored Cross-site Scripting vulnerability at Guest Lobby

BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby...

Cross Site Scripting (XSS)

quill-mention is vulnerable to Cross Site Scripting. The vulnerability is due to mention.js and quill.mention.js as there is no escaping or sanitization for the list items which are rendered using innerHTML. This allows an attacker to insert a malicious script in innerHTML. When the script is...

Stored XSS at Guest Lobby

Description Guest Lobby is vulnerable to XSS when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML Proof of Concept 1.Start a new web conference and change Guest policy to "Ask Moderator" role moderator 2.Attacker edit "Message to the...

SUSE CVE-2017-7799

JavaScript in the "about:webrtc" page is not sanitized properly being assigned to "innerHTML". Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting XSS attack...

SUSE CVE-2019-11744

Some HTML elements, such as title and textarea, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if...

Remote Code Execution

@editorjs/editorjs is vulnerable to remote code execution. An attacker is able to upload and execute malicious code on the system via pasted input into wrapper's innerHTML method...

CVE-2022-23474 editor.js contains Code Injection

Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0...

Cross-site Scripting (XSS)

rails is vulnerable to cross-site scriptingXSS attacks. The use of the innerHTML in checkNoMatch function allows a remote authenticated attacker to inject and execute malicious JavaScript on victim's browser...

Cross site scripting

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the tagName property of an Ember.View was inserted into such a string without being sanitized. This means that if an application assigns a view's tagName to...

GHSA-2589-W6XF-983R Cross-site scripting in react-bootstrap-table

All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting XSS via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output...

GHSA-QH7X-J4V8-QW5W Clipboard-based XSS

Impact XSS against the user. Details jsuites is vulnerable to DOM based XSS if the user can be tricked into copying anything from a malicious and pasting it into the html editor. This is because a part of the clipboard content is directly written to innerHTML causing XSS. References The Curious...

CVE-2021-37700

@github/paste-markdown is an npm package for pasting markdown objects. A self Cross-Site Scripting vulnerability exists in the @github/paste-markdown before version 0.3.4. If the clipboard data contains the string , a div is dynamically created, and the clipboard content is copied into its...

CVE-2021-23398

All versions of package react-bootstrap-table are vulnerable to Cross-site Scripting XSS via the dataFormat parameter. The problem is triggered when an invalid React element is returned, leading to dangerouslySetInnerHTML being used, which does not sanitize the output...

Cross-Site Scripting (XSS)

vis-timeline is vulnerable to cross-site scripting. An attacker is able to inject malicious code into the innerHTML property element...

Cross-site Scripting (XSS)

firefox is vulnerable to cross-site scripting XSS. The vulnerability exists when pasting a tag from the clipboard into a rich text editor, and the CSS sanitizer does not escape characters, and when a webpage subsequently copies the node's innerHTML, and assigns it to another innerHTML...

Cross-site Scripting (XSS)

firefox is vulnerable to cross-site scripting XSS. JavaScript in the "about:webrtc" page is not sanitized properly being assigned to "innerHTML". Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could...

Cross-site Scripting (XSS)

Activity Stream is vulnerable to cross-site scripting XSS. It can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Strea...

GHSA-R3XC-47QG-H929 Cross-Site Scripting in @ionic/core

Versions of @ionic/core prior to 4.0.3, 4.1.3, 4.2.1 or 4.3.1 are vulnerable to Cross-Site Scripting XSS. The package uses the unsafe innerHTML function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser. This issue affects the components: ...

GHSA-C53X-WWX2-PG96 Cross-Site Scripting in @berslucas/liljs

Versions of @berslucas/liljs prior to 1.0.2 are vulnerable to Cross-Site Scripting XSS. The package uses the unsafe innerHTML function without sanitizing input, which may allow attackers to execute arbitrary JavaScript on the victim's browser. Recommendation Upgrade to version 1.0.2 or later...