SUSE CVE-2016-11071

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place...

GO-2025-4058 Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener` in github.com/mattermost/mattermost-server

Mattermost Server is vulnerable to XSS through lack of link relationship attributes noreferrer and noopener in github.com/mattermost/mattermost-server...

Reverse Tabnabbing

hfs is vulnerable to reverse tabnabbing. The vulnerability is due to missing rel="noopener noreferrer" when opening web links with target="blank", which allows an attacker to manipulate the original HFS tab via the window.opener property...

HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit

Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with target="blank" but without the rel="noopener noreferrer" attribute. This allows the opened page to use the window.opener property to change the location of the original HFS tab. Details While most modern...

CVE-2016-11071

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place...

DOMPurify Open Redirect vulnerability

DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute...

UBUNTU-CVE-2019-25155

DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute...

saraivaconsultoriaimoveis.com.br Cross Site Scripting vulnerability OBB-3107740

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

cnrgroupcompany.com Cross Site Scripting vulnerability OBB-2970898

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

SUSE SLED15 / SLES15 Security Update : MozillaThunderbird (SUSE-SU-2022:3281-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3281-1 advisory. - If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes o...

Tabnabbing via window.opener [bookwyrm.social]

Description: 1. Hello @bookwyrm-social I found a tabnabbing vulnerability. attack is possible due to taget=blank or Tab nabbing via window.opener. VISIT:- https://bookwyrm.social/ SUMMARY: 1. I was browsing the site and found a tabnabbing vulnerability . As per the observation I found that attack...

Cross-site Scripting (XSS)

Overview github.com/mattermost/mattermost-server is an open source Slack-alternative in Golang and React. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the lack of noreferrer and noopener link relationship attributes. An attacker can execute arbitrary scripts in...

Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener`

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place...

GHSA-H3QG-W9J5-WH3M Mattermost Server is vulnerable to XSS through lack of link relationship attributes `noreferrer` and `noopener`

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place...

GHSA-5P4H-3377-7W67 golang.org/x/net/html NULL Pointer Dereference vulnerability

The html package aka x/net/html before 2018-07-13 in Go mishandles "in frameset" insertion mode, leading to a "panic: runtime error" for html.Parse of , , or . This is related to HTMLTreeBuilder.cpp in WebKit...

GHSA-X95H-979X-CF3J Policies not properly enforced in bluemonday

The bluemonday sanitizer before 1.0.16 for Go, and before 0.0.8 for Python in pybluemonday, does not properly enforce policies associated with the SELECT, STYLE, and OPTION elements...

CVE-2016-11071

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place...

Design/Logic Flaw

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place...

CVE-2016-11071

An issue was discovered in Mattermost Server before 3.1.0. It allows XSS because the noreferrer and noopener protection mechanisms were not in place...

CVE-2016-11071

Mattermost Server (before 3.1.0) is vulnerable to XSS via missing noreferrer and noopener link-rel protection. The root cause is failure to apply proper link relationship attributes, enabling malicious scripts when users click crafted links. Remediation: upgrade github.com/mattermost/mattermost-s...