XSS in Data URI

Overview Affected versions of remarkable are vulnerable to cross-site scripting. Vulnerable versions of the package allow the use of data: URIs in links, and can therefore execute javascript. Proof of Concept link Recommendation Update to v1.7.0 or later References - Issue 227 - GitHub Advisory...

CVE-2017-2929

Adobe Acrobat Chrome extension version 15.1.0.3 and earlier have a DOM-based cross-site scripting vulnerability. Successful exploitation could lead to JavaScript code execution...

Drupal Autocomplete Deluxe Module Cross-Site Scripting Vulnerability

Drupal is the Drupal community maintained by a set of free , open source content management system developed in PHP language . Autocomplete Deluxe is one of the modules based on the JQuery UI autocomplete for the classification field to create a new widget . A cross-site scripting vulnerability...

CVE-2016-7967

KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled...

Mozilla: Data from Pocket server improperly sanitized before execution (MFSA 2016-94, MFSA 2016-95)

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

CVE-2016-5740

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. Th...

Mozilla: Data from Pocket server improperly sanitized before execution (MFSA 2016-94, MFSA 2016-95)

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

CVE-2016-9901

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

CVE-2016-9901

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

UBUNTU-CVE-2016-9901

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

WordPress: XSS via unicode characters in upload filename

Wordpress has a vulnerability that could lead to javascript execution and thus privileged escalation via an admin visiting the wrong page via specially crafted JavaScript. Unicode characters are escaped by javascript but they are not escaped serverside. I've checked the latest version 4.6.1 at th...

Yandex Browser for desktop Yandex Browser Translator Cross-Site Scripting Vulnerability

Yandex Browser for desktop is a desktop browser from the Russian company Yandex.Yandex Browser Translator is one of the translation applications. A cross-site scripting vulnerability exists in Yandex Browser Translator in Yandex Browser for desktop versions 15.12 through 16.2. A remote attacker c...

CVE-2016-7968

KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed...

IBM Financial Transaction Manager for ACH Cross-Site Scripting Vulnerability

IBM Financial Transaction Manager FTM for ACH Services is a Financial Transaction Manager product from IBM USA, which is used to monitor, track and report on financial payments and transactions. A cross-site scripting vulnerability exists in Financial Transaction Manager FTM for ACH Services...

New Relic: XSS in a newrelic.com site

Hello, I found a XSS vulnerability that could be used by an attacker to execute javascript in the client, for example, an attacker could steal the cookie of the user or an attacker could redirect the client to an attacker site and try to exploit vulnerabilities against the browser. Here you can...

CVE-2016-4215

Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC Classic before 15.006.30198, and Acrobat and Acrobat Reader DC Continuous before 15.017.20050 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors...

The vulnerability of Juniper SRX 240 microprogramming software allows a hacker to execute arbitrary Java scripts in the context of the user’s browser.

The Juniper SRX 240 router software contains a vulnerability in the index.php module, allowing an attacker to execute arbitrary Java scripts in the user’s browser context due to insufficient filtering of service-specific symbols...

The vulnerability of the Thunderbird email client, which allows a remote attacker to execute arbitrary JavaScript code

The vulnerability of the Thunderbird email client lies in the improper restriction of the resource:URL. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code with privileges of a Chrome user, bypassing access policies. This can be achieved by using a...

The vulnerability of the Firefox browser, which allows a remote attacker to execute arbitrary JavaScript code

The vulnerability of Firefox lies in the improper restriction of resource: URL. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code with privileges of a Chrome browser, thereby circumventing access control policies. This can be achieved, for example, by usi...

The vulnerability of the Serv-U File Server allows a malicious attacker to execute arbitrary JavaScript code in the user’s browser, to replace the default content, or to redirect traffic to a specified resource.

The vulnerability of the Serv-U File Server software lies in insufficient checks on the parameters transmitted by clients and the scripts used in HTM scenarios. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code in the user’s browser, replace the displayed...