CVE-2024-21496

All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for th...

CVE-2024-21496

All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for th...

PT-2024-18911 · Unknown · Caddy-Security

Name of the Vulnerable Software and Affected Versions: github.com/greenpau/caddy-security versions all Description: The issue is related to Cross-site Scripting XSS via the Referer header, caused by improper input sanitization. Although some characters are escaped to prevent XSS, the sanitization...

Hacking Microsoft and Wix with Keyboard Shortcuts

Browser vendors continuously tweak and refine browser functionalities to improve security. Implementing same-site cookies is a prime example of vendors’ efforts to mitigate Cross-Site Request Forgery CSRF attacks. However, not all security measures are foolproof. In their quest to combat Cross-Si...

CVE-2023-6210

When an https: web page created a pop-up from a "javascript:" URL, that pop-up was incorrectly allowed to load blockable content such as iframes from insecure http: URLs This vulnerability affects Firefox 120...

Cross-site Scripting (XSS)

Overview github.com/greenpau/caddy-security is a Security App and Plugin for Caddy v2. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that...

MediaWiki 跨站脚本漏洞

MediaWiki is a suite of free and freely available web-based Wiki engines from the MediaWiki Foundation. The product can be used to deploy internal knowledge management and content management systems. A security vulnerability exists in MediaWiki version 1.39.3, which stems from an issue discovered...

CVE-2023-37256

CVE-2023-37256 affects the MediaWiki Cargo extension up to 1.39.3, which permits storing javascript: URLs in URL fields and automatically linking them. Public details in connected advisories indicate remediation via upgrading MediaWiki to 1.39.5 or later (and 1.40.x to 1.40.1 or later). Exploitat...

CVE-2019-17003

Scanning a QR code that contained a javascript: URL would have resulted in the Javascript being executed...

SUSE CVE-2005-1153

Firefox before 1.0.3 and Mozilla Suite before 1.7.7, when blocking a popup, allows remote attackers to execute arbitrary code via a javascript: URL that is executed when the user selects the "Show javascript" option...

SUSE CVE-2006-2785

Cross-site scripting XSS vulnerability in Mozilla Firefox before 1.5.0.4 allows user-assisted remote attackers to inject arbitrary web script or HTML by tricking a user into 1 performing a "View Image" on a broken image in which the SRC attribute contains a Javascript URL, or 2 selecting "Show on...

SUSE CVE-2007-0047

CRLF injection vulnerability in Adobe Acrobat Reader Plugin before 8.0.0, when used with the Microsoft.XMLHTTP ActiveX object in Internet Explorer, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the javascript: URI in the...

SUSE CVE-2010-0178

Mozilla Firefox before 3.0.19, 3.5.x before 3.5.9, and 3.6.x before 3.6.2, and SeaMonkey before 2.0.4, does not prevent applets from interpreting mouse clicks as drag-and-drop actions, which allows remote attackers to execute arbitrary JavaScript with Chrome privileges by loading a chrome: URL an...

SUSE CVE-2012-4751

Cross-site scripting XSS vulnerability in Open Ticket Request System OTRS Help Desk 2.4.x before 2.4.15, 3.0.x before 3.0.17, and 3.1.x before 3.1.11 allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with whitespace before a javascript: URL in the SRC...

SUSE CVE-2016-1958

browser/base/content/browser.js in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to spoof the address bar via a javascript: URL...

SUSE CVE-2016-5226

Blink in Google Chrome prior to 55.0.2883.75 for Linux, Windows and Mac executed javascript: URLs entered in the URL bar in the context of the current tab, which allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar...

SUSE CVE-2017-5420

A "javascript:" url loaded by a malicious page can obfuscate its location by blanking the URL displayed in the addressbar, allowing for an attacker to spoof an existing page without the malicious page's address being displayed correctly. This vulnerability affects Firefox 52...

SUSE CVE-2017-5458

When a "javascript:" URL is drag and dropped by a user into the addressbar, the URL will be processed and executed. This allows for users to be socially engineered to execute an XSS attack on themselves. This vulnerability affects Firefox 53...

SUSE CVE-2017-7839

Control characters prepended before "javascript:" URLs pasted in the addressbar can cause the leading characters to be ignored and the pasted JavaScript to be executed instead of being blocked. This could be used in social engineering and self-cross-site-scripting self-XSS attacks where users are...

SUSE CVE-2018-5143

URLs using "javascript:" have the protocol removed when pasted into the addressbar to protect users from cross-site scripting XSS attacks, but if a tab character is embedded in the "javascript:" URL the protocol is not removed and the script will execute. This could allow users to be socially...