CVE-2025-23207

KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade t...

GHSA-CG87-WMX4-V546 KaTeX \htmlData does not validate attribute names

Impact KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML. Patches Upgrade to KaTeX v0.16.21 to remove this vulnerability. Workarounds - Avoid use of or turn off the...

CVE-2024-47140

A cross-site scripting xss vulnerability exists in the addalertcheck page of Observium CE 24.4.13528. A specially crafted HTTP request can lead to a arbitrary javascript code execution. An authenticated user would need to click a malicious link provided by the attacker...

CVE-2024-45061

A cross-site scripting xss vulnerability exists in the weather map editor functionality of Observium CE 24.4.13528. A specially crafted HTTP request can lead to a arbitrary javascript code execution. An authenticated user would need to click a malicious link provided by the attacker...

Observium mapname cross-site scripting (XSS) vulnerability

Talos Vulnerability Report TALOS-2024-2092 Observium mapname cross-site scripting XSS vulnerability January 15, 2025 CVE Number CVE-2024-45061 SUMMARY A cross-site scripting xss vulnerability exists in the weather map editor functionality of Observium CE 24.4.13528. A specially crafted HTTP reque...

PT-2025-7271 · Weeek · Weeek

Name of the Vulnerable Software and Affected Versions: WEEEK affected versions not specified Description: The issue is related to the lack of protection for the web page structure in the WEEEK task and project management service. This could allow a remote attacker to execute arbitrary JavaScript...

Observium add_alert_check cross-site scripting (XSS) vulnerability

Talos Vulnerability Report TALOS-2024-2090 Observium addalertcheck cross-site scripting XSS vulnerability January 15, 2025 CVE Number CVE-2024-47140 SUMMARY A cross-site scripting xss vulnerability exists in the addalertcheck page of Observium CE 24.4.13528. A specially crafted HTTP request can...

PT-2025-2922 · Rancher +1 · Rancher +1

Name of the Vulnerable Software and Affected Versions: Rancher versions 2.9.0 through 2.9.3 Description: A vulnerability in the Rancher UI allows a malicious actor to perform a Stored XSS attack through the cluster description field. This issue affects Rancher versions from 2.9.0 to 2.9.3. The...

CVE-2025-22142 Cross-site Scripting in NamelessMC

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In affected versions an admin can add the ability to have users fill out an additional field and users can inject javascript code into it that would be activated once a staffer visits the user's profile on staff...

PT-2025-7268 · Weeek · Weeek

Name of the Vulnerable Software and Affected Versions: WEEEK affected versions not specified Description: The issue is related to the lack of protection for the web page structure in the WEEEK task and project management service. This could allow a remote attacker to execute arbitrary JavaScript...

CVE-2024-46073

A reflected Cross-Site Scripting XSS vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the application's response without adequate escaping. An attacker can exploit this flaw by tricking a...

CVE-2024-46073

CVE-2024-46073 describes a reflected Cross‑Site Scripting (XSS) in IceHRM v32.4.0.OS login page. The root cause is improper sanitization of the user-controlled yet echoed “next” parameter, which is included in the response without proper escaping. This enables an attacker to lure a user to a craf...

CVE-2024-46073

A reflected Cross-Site Scripting XSS vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the application's response without adequate escaping. An attacker can exploit this flaw by tricking a...

PhpSpreadsheet has a Cross-Site Scripting (XSS) vulnerability of the hyperlink base in the HTML page header

Cross-Site Scripting XSS vulnerability of the hyperlink base in the HTML page header Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVSS vector v.3.1: 5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS...

PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file

Unauthorized Reflected XSS in Currency.php file Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVSS vector v.3.1: 8.2 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS vector v.4.0: 8.3...

GHSA-J2XG-CJCX-4677 PhpSpreadsheet allows unauthorized Reflected XSS in Currency.php file

Unauthorized Reflected XSS in Currency.php file Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVSS vector v.3.1: 8.2 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS vector v.4.0: 8.3...

PhpSpreadsheet allows unauthorized Reflected XSS in the Accounting.php file

Unauthorized Reflected XSS in the Accounting.php file Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVSS vector v.3.1: 8.2 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS vector v.4.0: 8.3...

CVE-2025-21610 Trix allows Cross-site Scripting via `javascript:` url in a link

Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.12 are vulnerable to cross-site scripting when pasting malicious code in the link field. An attacker could trick the user to copy&paste a malicious javascript: URL as a link that would execute...

PhpSpreadsheet allows unauthorized Reflected XSS in `Convert-Online.php` file

Unauthorized Reflected XSS in Convert-Online.php file Product: Phpspreadsheet Version: version 3.6.0 CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVSS vector v.3.1: 8.2 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS vector v.4.0: 8.3...

PT-2024-65: Unauthorized Reflected XSS in PhpSpreadsheet (Accounting.php)

The vulnerability was identified in PhpSpreadsheet, versions = 3.0.0, = 2.0.0, = 2.2.0, = 3.0.0, = 2.0.0, = 2.2.0, = 2.3.4 to 2.3.5 or higher Additional information: Security advisory Researcher: Aleksey Solovev Positive Technologies...