Prototype Pollution

Overview dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Prototype Pollution in the USEPROFILES function. An attacker can execute arbitrary JavaScript code in the context of the user’s browser by polluting Array.prototype with...

GHSA-CJ63-JHHR-WCXV DOMPurify USE_PROFILES prototype pollution allows event handlers

Summary When USEPROFILES is enabled, DOMPurify rebuilds ALLOWEDATTR as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via ALLOWEDATTRlcName, any Array.prototype property that is polluted also counts as an allowlisted attribute. An...

CVE-2024-8861

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.9.3.2 due to incorrect use of the wpksesallowedhtml function, which allows the 'onclick' attribute for certain HTML elements without...

PT-2024-39279 · WordPress · Profilegrid

Name of the Vulnerable Software and Affected Versions: ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions up to, and including, 5.9.3.2 Description: The issue is related to Stored Cross-Site Scripting due to the incorrect use of the wp kses allowed html function. Th...

WordPress plugin ProfileGrid 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress plugin is an application plugin. A cross-site scripting...

CVE-2024-8914

The Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 due to incorrect use of the wpksesallowedhtml function, which allows the 'onclick' attribute for...

CVE-2024-1805

The wpbakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button onclick attribute in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or...

SUSE CVE-2020-11888

python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute...

XSS in python-markdown2

python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute...

GHSA-FV3H-8X5J-PVGQ XSS in python-markdown2

python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute...

PYSEC-2020-65

python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute...

UBUNTU-CVE-2020-11888

python-markdown2 through 2.3.8 allows XSS because element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute...

GHSA-5C66-X4WM-RJFX Cross-site scripting (XSS) vulnerability in the user-profile biography section in DotNetNuke (DNN)

Cross-site scripting XSS vulnerability in the user-profile biography section in DotNetNuke DNN before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element...

PT-2017-15133 · Dolibarr · Dolibarr Erp/Crm

Name of the Vulnerable Software and Affected Versions: Dolibarr ERP/CRM version 6.0.4 Description: The issue concerns the test sql and script inject function in htdocs/main.inc.php, which fails to block certain event attributes, specifically onclick and onscroll, allowing for cross-site scripting...

CVE-2016-7119

Cross-site scripting XSS vulnerability in the user-profile biography section in DotNetNuke DNN before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element...

CVE-2016-7119

Cross-site scripting XSS vulnerability in the user-profile biography section in DotNetNuke DNN before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element...

Cross site scripting

Cross-site scripting XSS vulnerability in the user-profile biography section in DotNetNuke DNN before 8.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted onclick attribute in an IMG element...