258 matches found
Lessons Learned From Exposing Unusual XSS Vulnerabilities
Misunderstood browser APIs are often at the core of many web security issues. With the rapid expansion of web APIs, keeping up with security best practices can be challenging. In this post, we’ll explore a few common mistakes developers make that lead to modern XSS Cross-Site Scripting...
CVE-2024-33905
In Telegram WebK before 2.0.0 488, a crafted Mini Web App allows XSS via the postMessage webappopenlink event type...
CVE-2024-33905
In Telegram WebK before 2.0.0 488, a crafted Mini Web App allows XSS via the postMessage webappopenlink event type...
CVE-2024-33905
In Telegram WebK before 2.0.0 488, a crafted Mini Web App allows XSS via the postMessage webappopenlink event type...
CVE-2024-33905
Telegram WebK before 2.0.0 is affected by an XSS flaw in the Mini Web App via the postMessage web_app_open_link event. Root cause: crafted Mini Web Apps can inject scripts. Affected product: Telegram WebK, versions prior to 2.0.0 (488). Reported by multiple sources; exploitation details are not p...
CVE-2023-48679
Stored cross-site scripting XSS vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 Linux, Windows before build 37391...
Cross site scripting
Stored cross-site scripting XSS vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 Linux, Windows before build 37391...
CVE-2023-48679
Stored cross-site scripting XSS vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 Linux, Windows before build 37391...
CVE-2023-48679
Stored cross-site scripting XSS vulnerability due to missing origin validation in postMessage. The following products are affected: Acronis Cyber Protect 16 Linux, Windows before build 37391...
PT-2024-13620 · Acronis · Acronis Cyber Protect 16
Name of the Vulnerable Software and Affected Versions: Acronis Cyber Protect 16 versions before build 37391 Description: A stored cross-site scripting XSS issue exists due to missing origin validation in postMessage. This allows for potential exploitation. The estimated number of affected devices...
Acronis Cyber Protect Cross-Site Scripting Vulnerability
Acronis Cyber Protect is an all-in-one cyber protection solution for business and enterprise from Acronis Singapore. It combines backup, anti-malware, network security, and endpoint management features such as vulnerability assessment, URL filtering, patch management, and more. A cross-site...
CVE-2023-46252
Squidex is an open source headless CMS and content management hub. Affected versions are missing origin verification in a postMessage handler which introduces a Cross-Site Scripting XSS vulnerability. The editor-sdk.js file defines three different class-like functions, which employ a global messa...
Cross site scripting
Squidex is an open source headless CMS and content management hub. Affected versions are missing origin verification in a postMessage handler which introduces a Cross-Site Scripting XSS vulnerability. The editor-sdk.js file defines three different class-like functions, which employ a global messa...
CVE-2023-46252 Cross-Site Scripting (XSS) via postMessage Handler in Squidex
Squidex is an open source headless CMS and content management hub. Affected versions are missing origin verification in a postMessage handler which introduces a Cross-Site Scripting XSS vulnerability. The editor-sdk.js file defines three different class-like functions, which employ a global messa...
CVE-2023-46252 Cross-Site Scripting (XSS) via postMessage Handler in Squidex
Squidex is an open source headless CMS and content management hub. Affected versions are missing origin verification in a postMessage handler which introduces a Cross-Site Scripting XSS vulnerability. The editor-sdk.js file defines three different class-like functions, which employ a global messa...
Squidex Cross-Site Scripting Vulnerability
squidex is a Headless CMS and Content Management Center. A cross-site scripting vulnerability exists in Squidex version 7.8.2, which stems from a lack of raw validation in the postMessage handler, leading to a cross-site scripting XSS vulnerability...
CVE-2023-5718
The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...
CVE-2023-5718
The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...
Code injection
The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...
CVE-2023-5718
The Vue.js Devtools extension was found to leak screenshot data back to a malicious web page via the standard postMessage API. By creating a malicious web page with an iFrame targeting a sensitive resource i.e. a locally accessible file or sensitive website, and registering a listener on the web...