CVE-2022-32269

In Real Player 20.0.8.310, the G2 Control allows injection of unsafe javascript: URIs in local HTTP error pages displayed by Internet Explorer core. This leads to arbitrary code execution...

GHSA-5P28-63MC-CGR9 Cross-Site Scripting bypass in html-purify

All versions of html-purify are vulnerable to cross-site scripting. The data attribute inside of object tags is not properly sanitized and allows javascript URIs leading to code execution. No fix is currently available. Consider using an alternative package until a fix is made available...

Cross-Site Scripting bypass

Overview All versions of html-purify are vulnerable to cross-site scripting. The data attribute inside of object tags is not properly sanitized and allows javascript URIs leading to code execution. Recommendation No fix is currently available. Consider using an alternative package until a fix is...

CVE-2019-11738

If a Content Security Policy CSP directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox 6...

Input validation

If a Content Security Policy CSP directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox 6...

Mozilla: Content security policy bypass through hash-based sources in directives

If a Content Security Policy CSP directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox 6...

CVE-2019-11738

If a Content Security Policy CSP directive is defined that uses a hash-based source that takes the empty string as input, execution of any javascript: URIs will be allowed. This could allow for malicious JavaScript content to be run, bypassing CSP permissions. This vulnerability affects Firefox 6...

Node.js: url.parse() hostname spoofing via javascript: URIs

Summary: Using url.parse in security sensitive checks is dangerous as an arbitrary hostname can be spoofed via javascript: URIs. Description: The original url.parse API is dangerous as it allows to spoof an arbitrary hostname via a javascript: URI: bash $ node -e...

GHSA-Q4QQ-FM7Q-CWP5 Multiple XSS Filter Bypasses in validator

Versions of validator prior to 1.1.0 are affected by several cross-site scripting vulnerabilities due to bypasses discovered in the blacklist-based filter. Proof of Concept Various inputs that could bypass the filter were discovered: Improper parsing of nested tags: This is a test Incomplete...

Slack: Stored XSS on team.slack.com using new Markdown editor of posts inside the Editing mode and using javascript-URIs

Hi, I noticed while looking at an old article I made a while ago that some links were actually inserted as javascript:-links. Doing some modifications to these actually revealed that inside editing mode, no protection is added for getting arbitrary scripts to run. This means that by catching the...

Google Chrome < 15.0.874.102 Multiple Vulnerabilities

Binary data 6050.pasl...

CVE-2009-3015

QtWeb 3.0 Builds 001 and 003 does not properly block javascript: and data: URIs in Refresh and Location headers in HTTP responses, which allows remote attackers to conduct cross-site scripting XSS attacks via vectors related to 1 injecting a Refresh header that contains a javascript: URI, 2...

Microsoft Internet Explorer XSS Vulnerability - July09

The host is installed with Internet Explorer and is prone to Cross-Site Scripting vulnerability. OpenVAS Vulnerability Test $Id: gbmsiexssvulnjul09.nasl 6527 2017-07-05 05:56:34Z cfischer $ Microsoft Internet Explorer XSS Vulnerability - July09 Authors: Nikita MR Copyright: Copyright c 2009...

Google Chrome Cross-Site Scripting Vulnerability - July09

This host has Google Chrome installed and is prone to Cross-Site Scripting vulnerability. OpenVAS Vulnerability Test $Id: gbgooglechromexssvulnjul09.nasl 4869 2016-12-29 11:01:45Z teissa $ Google Chrome Cross-Site Scripting Vulnerability - July09 Authors: Sharath S Copyright: Copyright c 2009...

CVE-2009-2352

Google Chrome 1.0.154.48 and earlier does not block javascript: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting XSS attacks via vectors related to 1 injecting a Refresh header or 2 specifying the content of a Refresh header, a related issue...

Debian DSA-1797-1 : xulrunner - several vulnerabilities

Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-0652 Moxie Marlinspike discovered that Unicode box drawi...