Improper Verification of Communication Channel in @theia/plugin-ext

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage...

CVE-2021-41038

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage...

CVE-2021-41038

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage...

Code injection

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage...

CVE-2021-41038

In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage...

Eclipse Theia 安全漏洞

Eclipse Theia is the Eclipse Foundation's set of open source IDE frameworks for desktop and web applications based on Visual Studio Code. A security vulnerability exists in the version of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, which originates from Webview content that...

Ghost CMS 4.3.2 - Cross-Origin Admin Takeover

Ghost is one of the most popular Node.js-based Content Management Systems CMS. According to the vendor, there are currently more than 2.5 million installs of it and the project has more than 38k stars on GitHub. During our research on open-source applications, we analyzed the code and found a...

WordPress: wp-embed XSS on Safari

An XSS vulnerability was discovered in the open embed auto discovery function of WordPress. The vulnerability allowed an attacker to execute malicious JavaScript code by embedding a blog post on a victim's WordPress site. The vulnerability affected Safari browsers and potentially other browsers...

GHSA-6VWX-MWP8-FH44 Cross-site Scripting in reveal.js

Insufficient validation in cross-origin communication postMessage in reveal.js version 3.9.1 and earlier allow attackers to perform cross-site scripting attacks...

Posta - Cross-document Messaging Security Research Tool

Posta is a tool for researching Cross-document Messaging communication. It allows you to track, explore and exploit postMessage vulnerabilities, and includes features such as replaying messages sent between windows within any attached browser. Prerequisites Google Chrome / Chromium Node.js option...

PT-2021-13585 · Apple +9 · Security Update +15

Name of the Vulnerable Software and Affected Versions: macOS Big Sur versions prior to 11.2 Security Update versions prior to 2021-001 Catalina Security Update versions prior to 2021-001 Mojave watchOS versions prior to 7.3 tvOS versions prior to 14.4 iOS versions prior to 14.4 iPadOS versions...

WordPress Stockdio Historical Chart plugin cross-site scripting vulnerability

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A security vulnerability exists in WordPress Stockdio Historical Chart plugin versions prior to 2.8....

Stockdio Historical Chart < 2.8.1 - Reflected Cross-Site Scripting (XSS)

The plugin was affected by a Reflected Cross-Site Scripting issue via the postMessage event. PoC Use the following code on another website...

CVE-2020-28707

The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting XSS via stockdiocharthistorical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage event is not validated. The stockdioeventer function listens for an...

CVE-2020-28707

The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting XSS via stockdiocharthistorical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage event is not validated. The stockdioeventer function listens for an...

Cross site scripting

The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting XSS via stockdiocharthistorical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage event is not validated. The stockdioeventer function listens for an...

CVE-2020-28707

The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting XSS via stockdiocharthistorical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage event is not validated. The stockdioeventer function listens for an...

WordPress Stockdio Historical Chart plugin 跨站脚本漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A security vulnerability exists in WordPress Stockdio Historical Chart plugin versions prior to 2.8....

Mail.ru: Eval-based XSS in Game JS API (mailru.core.js) via cross-origin postMessage()

mailru.core.js as used by GMR/store.my.games application was vulnerable to XSS via PostMessage handler...

Mail.ru: DOM based XSS via postMessage at store.my.games

mailru.core.js as used by GMR/store.my.games application was vulnerable to XSS via PostMessage handler...