Mozilla Firefox 安全漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability exists in Mozilla Firefox versions prior to 138, which stems from mishandling of the javascript: URI, which could lead to a sandbox escape...

CVE-2025-30196

Jenkins AnchorChain Plugin 1.0 does not limit URL schemes for links it creates based on workspace content, allowing the javascript: scheme, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control the input file for the Anchor Chain post-build step...

CVE-2024-56359

grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier meaning for example Ctrl+click could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context...

CVE-2024-56357 Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core

grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the javascript: scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1...

PT-2024-36799 · Unknown · Grist-Core

Name of the Vulnerable Software and Affected Versions: grist-core versions prior to 1.3.1 Description: A user visiting a malicious document or submitting a malicious form could have their account compromised due to the ability to use the javascript: scheme with custom widget URLs and form redirec...

PT-2024-36801 · Unknown · Grist-Core

Name of the Vulnerable Software and Affected Versions: grist-core versions prior to 1.3.2 Description: The issue arises when a user visits a malicious document and clicks on a link in a HyperLink cell using a control modifier, such as Ctrl+click. This could lead to account compromise, as the link...

GHSA-WW7P-8GFG-V82R Scrypted Cross-site Scripting vulnerability

Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior corresponding to @scrypted/core 0.1.142 and prior, a reflected cross-site scripting vulnerability exists in the login page via the redirecturi parameter. By specifying a url with the javascript scheme...

Scrypted Cross-site Scripting vulnerability

Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior corresponding to @scrypted/core 0.1.142 and prior, a reflected cross-site scripting vulnerability exists in the login page via the redirecturi parameter. By specifying a url with the javascript scheme...

PT-2024-23307

Name of the Vulnerable Software and Affected Versions Typebot versions prior to 2.24.0 Description A reflected cross-site scripting XSS issue in the sign-in page of typebot.io may allow an attacker to hijack a user's account. The sign-in page takes the redirectPath parameter from the URL. If a us...

Mozilla Focus 安全漏洞

Mozilla Focus is a browser for iOS devices from the Mozilla Foundation. A code execution vulnerability exists in Mozilla Focus for iOS due to a race condition when using a javascript:URI with setTimeout. An attacker can exploit the vulnerability to execute arbitrary code on the system...

PT-2024-15683 · Facebook · Focus

Name of the Vulnerable Software and Affected Versions: Focus for iOS versions prior to 122 Description: The issue allows an attacker to execute unauthorized scripts on top origin sites in the urlbar by using a javascript: URI with a setTimeout race condition. This bypasses security measures,...

Cross site scripting

Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior, a reflected cross-site scripting vulnerability exists in the login page via the redirecturi parameter. By specifying a url with the javascript scheme javascript:, an attacker can run arbitrary JavaScript...

CVE-2023-47623

CVE-2023-47623 corresponds to a reflected cross-site scripting (XSS) vulnerability in the Scrypted platform. The issue affects versions 0.55.0 and prior, occurring in the login flow via the redirect_uri parameter (and related login page handling). An attacker can supply a javascript: URL to execu...

@udecode/plate-link does not sanitize URLs to prevent use of the `javascript:` scheme

Impact Affected versions of the link plugin and link UI component do not sanitize URLs to prevent use of the javascript: scheme. As a result, links with JavaScript URLs can be inserted into the Plate editor through various means, including opening or pasting malicious content. Patches...

GHSA-9W8X-5HV5-R6GW Cross Site Scripting in usememos/memos

All versions of the package github.com/usememos/memos/server prior to 0.11.0 are vulnerable to Cross-site Scripting XSS due to insufficient checks on external resources, which allows malicious actors to introduce links starting with a javascript: scheme...

SUSE CVE-2013-6044

The issafeurl function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is not HTTP or HTTPS, which might introduce cross-site scripting XSS or other vulnerabilities into Django applications that use this function, a...

CVE-2022-25978

All versions of the package github.com/usememos/memos/server are vulnerable to Cross-site Scripting XSS due to insufficient checks on external resources, which allows malicious actors to introduce links starting with a javascript: scheme...

CVE-2022-25978

All versions of the package github.com/usememos/memos/server are vulnerable to Cross-site Scripting XSS due to insufficient checks on external resources, which allows malicious actors to introduce links starting with a javascript: scheme...

CVE-2022-25978

All versions of the package github.com/usememos/memos/server are vulnerable to Cross-site Scripting XSS due to insufficient checks on external resources, which allows malicious actors to introduce links starting with a javascript: scheme...

SUSE CVE-2017-5118

Blink in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Linux, and 61.0.3163.81 for Android, failed to correctly propagate CSP restrictions to javascript scheme pages, which allowed a remote attacker to bypass content security policy via a crafted HTML page...