CVE-2019-17003

Scanning a QR code that contained a javascript: URL would have resulted in the Javascript being executed...

SUSE CVE-2005-1153

Firefox before 1.0.3 and Mozilla Suite before 1.7.7, when blocking a popup, allows remote attackers to execute arbitrary code via a javascript: URL that is executed when the user selects the "Show javascript" option...

SUSE CVE-2006-2785

Cross-site scripting XSS vulnerability in Mozilla Firefox before 1.5.0.4 allows user-assisted remote attackers to inject arbitrary web script or HTML by tricking a user into 1 performing a "View Image" on a broken image in which the SRC attribute contains a Javascript URL, or 2 selecting "Show on...

SUSE CVE-2007-0047

CRLF injection vulnerability in Adobe Acrobat Reader Plugin before 8.0.0, when used with the Microsoft.XMLHTTP ActiveX object in Internet Explorer, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the javascript: URI in the...

SUSE CVE-2010-0178

Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, does not prevent applets from interpreting mouse clicks as drag-and-drop actions, which allows remote attackers to execute arbitrary JavaScript with Chrome privileges by loading a chrome: URL an...

SUSE CVE-2012-4751

Cross-site scripting XSS vulnerability in Open Ticket Request System OTRS Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC...

SUSE CVE-2016-1958

browser/base/content/browser.js in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to spoof the address bar via a javascript: URL...

SUSE CVE-2016-5226

Blink in Google Chrome prior to 55.0.2883.75 for Linux, Windows and Mac executed javascript: URLs entered in the URL bar in the context of the current tab, which allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar...

SUSE CVE-2017-5420

A "javascript:" url loaded by a malicious page can obfuscate its location by blanking the URL displayed in the addressbar, allowing for an attacker to spoof an existing page without the malicious page's address being displayed correctly. This vulnerability affects Firefox 52...

SUSE CVE-2017-5458

When a "javascript:" URL is drag and dropped by a user into the addressbar, the URL will be processed and executed. This allows for users to be socially engineered to execute an XSS attack on themselves. This vulnerability affects Firefox 53...

SUSE CVE-2017-7839

Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting self-XSS attacks where users are...

SUSE CVE-2018-5143

URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting XSS attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially...

SUSE CVE-2020-6808

When a JavaScript URL javascript: is evaluated and the result is a string, this string is parsed to create an HTML document, which is then presented. Previously, this document's URL as reported by the document.location property, for example was the originating javascript: URL which could lead to...

PT-2022-23993 · Silverstripe · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: Silverstripe silverstripe/framework versions through 4.11 Description: The issue allows for XSS via a JavaScript payload to the href attribute of a link by splitting a javascript URL with white space characters. A malicious content author cou...

Mozilla: CSP sandbox header without `allow-scripts` can be bypassed via retargeted javascript: URI

The Mozilla Foundation Security Advisory describes this flaw as: An iframe that was not permitted to run scripts could do so if the user clicked on a javascript: link...

xss filter bypass

Description xss check bypass Proof of Concept i see you you fixed https://huntr.dev/bounties/31aba7c9-edcf-44bf-9fd8-ca15d1fa53c8/ by using if !empty$this-web && !filtervar$this-web, FILTERVALIDATEURL .\ But this can be bypassed easily and cause xss .\ FILTERVALIDATEURL can be bypassed using url...

CVE-2022-29532

An issue was discovered in MISP before 2.4.158. There is XSS in the cerebrate view if one administrator puts a javascript: URL in the URL field, and another administrator clicks on it...

PT-2022-19682 · Misp · Misp

Name of the Vulnerable Software and Affected Versions: MISP versions prior to 2.4.158 Description: The issue is related to a Cross-Site Scripting XSS vulnerability in the cerebrate view. This occurs when one administrator enters a javascript: URL in the URL field, and another administrator clicks...

CVE-2022-24723 Improper Input Validation in URI.js

URI.js is a Javascript URL mutation library. Before version 1.19.9, whitespace characters are not removed from the beginning of the protocol, so URLs are not parsed properly. This issue has been patched in version 1.19.9. Removing leading whitespace from values before passing them to URI.parse ca...

CVE-2022-25256

SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRender.do has two parameters: saspfsrequestbacklabellist and saspfsrequestbackurllist. The first one affects the content of the button placed in the top left. The second affects the page to which the user is directed after pressing...