Input validation

Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during miauth authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 including 12.x are affected. This has been fixed ...

CVE-2023-24810

CVE-2023-24810 affects Misskey prior to 13.3.1, where insufficient validation of the redirect URL during miauth authentication allows arbitrary JavaScript execution when a user approves the link. Versions below 13.3.1 (including 12.x) are impacted; a fix is available in 13.3.1. If upgrading is no...

CVE-2022-23713

A Cross-site-scripting XSS vulnerability was found in the Vega Charts Kibana integration. This issue could allow arbitrary JavaScript to be executed in a victim’s browser...

PT-2023-19942 · Misskey · Misskey

Name of the Vulnerable Software and Affected Versions: Misskey versions prior to 13.5.0 Description: Misskey is an open source, decentralized social media platform. The link to the instance of the sender that appears when viewing a user or note received through ActivityPub is not properly validat...

PT-2023-19794 · Misskey · Misskey

Name of the Vulnerable Software and Affected Versions: Misskey versions prior to 13.3.1 Description: The issue arises from insufficient validation of the redirect URL during miauth authentication, allowing arbitrary JavaScript execution when a user allows the link. This can be exploited when user...

K26351280: HTTP proxy client implementations vulnerability VU#905344

Security Advisory Description HTTP CONNECT requests and 407 Proxy Authentication Required messages are not integrity protected and are susceptible to man-in-the-middle attacks. WebKit-based applications are additionally vulnerable to arbitrary HTML markup and JavaScript execution in the context o...

K20606443: iControl REST CSRF vulnerability CVE-2020-5922

Security Advisory Description iControl REST does not implement cross-site request forgery CSRF protections for users applying basic authentication in a web browser. CVE-2020-5922 Impact In a successful exploit, an attacker can run JavaScript in the context of the currently logged-in user. For an...

AXIS 207W 跨站脚本漏洞

The AXIS 207W is a web camera from AXIS Sweden. The AXIS 207W network camera suffers from a cross-site scripting vulnerability that originates from a Reflected Cross-Site Scripting XSS vulnerability in the Web Management Portal, which can be exploited by a remote attacker to execute arbitrary...

CVE-2019-17003

Scanning a QR code that contained a javascript: URL would have resulted in the Javascript being executed...

CVE-2019-17003

CVE-2019-17003 describes that scanning a QR code containing a javascript: URL could cause JavaScript to be executed. Connected sources consistently reference this behavior and assign a CVSS v3.1 base score of 6.1 (MEDIUM) with NETWORK attack vector, UI: REQUIRED, and impact on Confidentiality/Int...

SUSE CVE-2006-3014

Microsoft Excel allows user-assisted attackers to execute arbitrary javascript and redirect users to arbitrary sites via an Excel spreadsheet with an embedded Shockwave Flash Player ActiveX Object, which is automatically executed when the user opens the spreadsheet...

SUSE CVE-2007-5338

Mozilla Firefox before 2.0.0.8 and SeaMonkey before 1.1.5 allow remote attackers to execute arbitrary Javascript with user privileges by using the Script object to modify XPCNativeWrappers in a way that causes the script to be executed when a chrome action is performed...

SUSE CVE-2009-2665

The nsDocument::SetScriptGlobalObject function in content/base/src/nsDocument.cpp in Mozilla Firefox 3.5.x before 3.5.2, when certain add-ons are enabled, does not properly handle a Link HTTP header, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafte...

SUSE CVE-2009-3986

Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to execute arbitrary JavaScript with chrome privileges by leveraging a reference to a chrome window from a content window, related to the window.opener property...

SUSE CVE-2013-0757

The Chrome Object Wrapper COW implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderbird ESR 17.x before 17.0.2, and SeaMonkey before 2.15 does not prevent modifications to the prototype of an object, which allows remote attackers to...

SUSE CVE-2013-6658

Multiple use-after-free vulnerabilities in the layout implementation in Blink, as used in Google Chrome before 33.0.1750.117, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving 1 running JavaScript code during execution of the...

SUSE CVE-2015-6716

The ANSendForFormDistribution method in Adobe Reader and Acrobat 10.x before 10.1.16 and 11.x before 11.0.13, Acrobat and Acrobat Reader DC Classic before 2015.006.30094, and Acrobat and Acrobat Reader DC Continuous before 2015.009.20069 on Windows and OS X allows attackers to bypass JavaScript A...

SUSE CVE-2017-5085

Inappropriate implementation in Bookmarks in Google Chrome prior to 59 for iOS allowed a remote attacker who convinced the user to perform certain operations to run JavaScript on chrome:// pages via a crafted bookmark...

SUSE CVE-2017-7846

It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via "View - Feed article - Website" or in the standard format of "View - Feed article - default format". This vulnerability affects Thunderbird 52.5.2...

SUSE CVE-2018-8768

In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous...