chromium-browser: inappropriate javascript execution on webui pages

Inappropriate implementation in Bookmarks in Google Chrome prior to 59 for iOS allowed a remote attacker who convinced the user to perform certain operations to run JavaScript on chrome:// pages via a crafted bookmark...

Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 59 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks. Chrome 59.0.3071.86 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming...

Hitachi Device Manager and Replication Manager Cross-Site Scripting Vulnerability

Hitachi Device Manager and Replication Manager are both products of Hitachi, Japan.Hitachi Device Manager is software that manages multiple Hitachi storage systems from a single console and provides logical view capabilities to align storage assets with business applications. Replication Manager ...

CVE-2017-9298

Cross-site scripting vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitachi Replication Manager before 8.5.2-00 allows authenticated remote users to execute arbitrary JavaScript code...

Tenable Network Security Nessus Cross-Site Scripting Vulnerability

Tenable Network Security Nessus is a highly scalable open source vulnerability scanner from Tenable Network Security, USA. A cross-site scripting vulnerability exists in Tenable Network Security Nessus. A remote attacker can exploit this vulnerability to execute arbitrary avaScript in the current...

CVE-2017-6340

Trend Micro InterScan Web Security Virtual Appliance IWSVA 6.5 before CP 1746 does not sanitize a rest/commonlog/report/template name field, which allows a 'Reports Only' user to inject malicious JavaScript while creating a new report. Additionally, IWSVA implements incorrect access control that...

CVE-2016-9169

A reflected XSS vulnerability exists in the web console of the Document Viewer Agent in Novell GroupWise before 2014 R2 Support Pack 1 Hot Patch 2 that may enable a remote attacker to execute JavaScript in the context of a valid user's browser session by getting the user to click on a specially...

Cross site scripting

A reflected XSS vulnerability exists in the web console of the Document Viewer Agent in Novell GroupWise before 2014 R2 Support Pack 1 Hot Patch 2 that may enable a remote attacker to execute JavaScript in the context of a valid user's browser session by getting the user to click on a specially...

XSS in Data URI

Overview Affected versions of remarkable are vulnerable to cross-site scripting. Vulnerable versions of the package allow the use of data: URIs in links, and can therefore execute javascript. Proof of Concept link Recommendation Update to v1.7.0 or later References - Issue 227 - GitHub Advisory...

CVE-2017-2929

Adobe Acrobat Chrome extension version 15.1.0.3 and earlier have a DOM-based cross-site scripting vulnerability. Successful exploitation could lead to JavaScript code execution...

Drupal Autocomplete Deluxe Module Cross-Site Scripting Vulnerability

Drupal is the Drupal community maintained by a set of free , open source content management system developed in PHP language . Autocomplete Deluxe is one of the modules based on the JQuery UI autocomplete for the classification field to create a new widget . A cross-site scripting vulnerability...

CVE-2016-7967

KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled...

Mozilla: Data from Pocket server improperly sanitized before execution (MFSA 2016-94, MFSA 2016-95)

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

CVE-2016-5740

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's location, will be presented to the user at the E-Mail App, depending on the invitation workflow. Th...

Mozilla: Data from Pocket server improperly sanitized before execution (MFSA 2016-94, MFSA 2016-95)

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

CVE-2016-9901

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

CVE-2016-9901

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

UBUNTU-CVE-2016-9901

HTML tags received from the Pocket server will be processed without sanitization and any JavaScript code executed will be run in the "about:pocket-saved" unprivileged page, giving it access to Pocket's messaging API through HTML injection. This vulnerability affects Firefox ESR 45.6 and Firefox...

WordPress: XSS via unicode characters in upload filename

Wordpress has a vulnerability that could lead to javascript execution and thus privileged escalation via an admin visiting the wrong page via specially crafted JavaScript. Unicode characters are escaped by javascript but they are not escaped serverside. I've checked the latest version 4.6.1 at th...

Yandex Browser for desktop Yandex Browser Translator Cross-Site Scripting Vulnerability

Yandex Browser for desktop is a desktop browser from the Russian company Yandex.Yandex Browser Translator is one of the translation applications. A cross-site scripting vulnerability exists in Yandex Browser Translator in Yandex Browser for desktop versions 15.12 through 16.2. A remote attacker c...