288 matches found
CVE-2020-36844
The KnowBe4 Security Awareness Training application before 2020-01-10 allows reflected XSS. The response has a SCRIPT element that sets window.location.href to a JavaScript URL...
GHSA-J386-3444-QGWG Trix allows Cross-site Scripting via `javascript:` url in a link
The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field. Impact An attacker could trick the user to copy&paste a malicious javascript: URL as a link that would execute arbitrary JavaScript code within the context of the user's session,...
Trix allows Cross-site Scripting via `javascript:` url in a link
The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field. Impact An attacker could trick the user to copy&paste a malicious javascript: URL as a link that would execute arbitrary JavaScript code within the context of the user's session,...
CVE-2025-21610 Trix allows Cross-site Scripting via `javascript:` url in a link
Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.12 are vulnerable to cross-site scripting when pasting malicious code in the link field. An attacker could trick the user to copy&paste a malicious javascript: URL as a link that would execute...
CVE-2025-21610 Trix allows Cross-site Scripting via `javascript:` url in a link
Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.12 are vulnerable to cross-site scripting when pasting malicious code in the link field. An attacker could trick the user to copy&paste a malicious javascript: URL as a link that would execute...
PT-2025-4298 · Trix · Trix
Name of the Vulnerable Software and Affected Versions: Trix editor versions prior to 2.1.12 Description: Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. The issue arises when pasting malicious code in the link field, allowing an attacker to trick the user into copyin...
jsoup: The jsoup cleaner may incorrectly sanitize crafted XSS attempts if SafeList.preserveRelativeLinks is enabled
A flaw was found in jsoup, a Java HTML parser built for HTML editing, cleaning, scraping, and Cross-site scripting XSS safety. An issue in jsoup may incorrectly sanitize HTML, including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the...
Mozilla Firefox for iOS Security Bypass Vulnerability (CNVD-2024-25613)
Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security bypass vulnerability exists in Mozilla Firefox for iOS due to a Javascript URL being loaded when dragging to the address bar. An attacker can exploit the vulnerability to bypass restrictions...
CVE-2024-31393
This CVE (CVE-2024-31393) affects Mozilla Firefox for iOS prior to version 124. The issue stems from insufficient input validation when dragging Javascript URLs into the address bar, which could cause the URL to load and bypass certain security protections. Affected component is the address bar h...
CVE-2024-31393
Dragging Javascript URLs to the address bar could cause them to be loaded, bypassing restrictions and security protections This vulnerability affects Firefox for iOS 124...
Code injection
Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined link formats. As th...
CVE-2024-27087 Kirby cross-site scripting (XSS) in the link field "Custom" type
Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined link formats. As th...
PT-2024-21639 · Kirby · Kirby
Name of the Vulnerable Software and Affected Versions: Kirby versions prior to 4.1.1 Description: Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a...
PT-2024-21398 · Kirby Cms · Kirby Cms
Name of the Vulnerable Software and Affected Versions: Kirby CMS version 4.1.0 Description: A reflected self-XSS vulnerability was discovered in Kirby CMS via the URL parameter. This issue can be exploited when a user is tricked into executing malicious JavaScript code within their own context,...
Cross-site Scripting (XSS)
github.com/greenpau/caddy-security is vulnerable to Cross-site Scripting XSS via the Referer header. The vulnerability is due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for an attack...
GHSA-FF72-FF42-C3GW Cross-site Scripting in github.com/greenpau/caddy-security
All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for th...
Cross-site Scripting in github.com/greenpau/caddy-security
All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for th...
CVE-2024-21496
All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for th...
CVE-2024-21496
All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for th...
Cross site scripting
All versions of the package github.com/greenpau/caddy-security are vulnerable to Cross-site Scripting XSS via the Referer header, due to improper input sanitization. Although the Referer header is sanitized by escaping some characters that can allow XSS e.g., &, , ", ', it does not account for th...