PT-2023-22297 · Xwiki · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.1 XWiki Platform versions prior to 15.0 RC1 Description: The XWiki Platform is a generic wiki platform offering runtime...

CVE-2023-29201

XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . ...

CVE-2023-29202

XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter content was set to true. This allowed arbitrary HTML and in particular...

Cross site scripting

XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter content was set to true. This allowed arbitrary HTML and in particular...

Cross site scripting

XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . ...

CVE-2023-29202 org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter content was set to true. This allowed arbitrary HTML and in particular...

CVE-2023-29201

XWiki Commons (org.xwiki.commons:xwiki-commons-xml) is affected by an XSS vulnerability in the HTML cleaner’s restricted mode introduced in 4.2-milestone-1. The restricted mode only escaped [removed] and tags, but did not escape dangerous attributes or other HTML elements (e.g., iframe), enablin...

CVE-2023-29201 org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . ...

CVE-2023-29201 org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . ...

Easy!Appointments 跨站脚本漏洞

Easy!Appointments is a web-based appointment and schedule management system. A cross-site scripting vulnerability exists in versions prior to Easy!Appointments 1.5.0, which can be exploited by an attacker to perform javascript injection, cookie theft, install javascript malware and keyloggers, an...

GHSA-C885-89FW-55QR org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability

Impact The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter content was set to true. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scripting XSS by specifying an RSS...

org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability

Impact The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter content was set to true. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scripting XSS by specifying an RSS...

org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability

Impact The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . As a consequence, any code relying on this "restricted" mode for security is...

CVE-2023-28341

Stored Cross site scripting XSS vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page...

CVE-2023-0546

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to...

CVE-2023-0546

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to...

CVE-2023-0546

CVE-2023-0546 affects the Contact Form Plugin WordPress plugin (pre-4.3.25). The issue is stored XSS via improper sanitization/escaping of the srcdoc attribute in iframes within the plugin’s custom HTML field, enabling a logged-in user with Contributor+ privileges to inject arbitrary JavaScript t...

CVE-2023-0546 FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to...

PT-2023-16352 · WordPress · Contact-Form-Plugin

Name of the Vulnerable Software and Affected Versions: Contact Form Plugin WordPress plugin versions prior to 4.3.25 Description: The issue allows a logged-in user with roles as low as contributor to inject arbitrary JavaScript into a form. This can be achieved by exploiting the improper...

UBUNTU-CVE-2023-24538

Templates do not properly consider backticks as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to...