GHSA-RJ4G-RQGH-RX9H Ech0 comment model's Email field returned on public /api/comments endpoints

Summary The Comment model serializes its Email field through the public comment-listing API. internal/model/comment/comment.go:33 uses json:"email", while adjacent PII fields IPHash, UserAgent correctly use json:"-". The public endpoints GET /api/comments?echoid=X and GET...

CVE-2025-60506

Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting XSS via the Public Comments feature. An attacker with a low-privileged account e.g., Student can inject arbitrary JavaScript payloads into a comment. When any other user Student, Teacher, or Admin views the annotated PD...

CVE-2025-60506

Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting XSS via the Public Comments feature. An attacker with a low-privileged account e.g., Student can inject arbitrary JavaScript payloads into a comment. When any other user Student, Teacher, or Admin views the annotated PD...

Moodle PDF Annotator plugin 安全漏洞

Moodle PDF Annotator plugin is an open source teaching plugin for Moodle. A security vulnerability exists in Moodle PDF Annotator plugin version 1.5 release 9, which stems from the public comments feature not properly filtering input and could lead to a stored cross-site scripting attack...

EUVD-2025-35197

Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting XSS via the Public Comments feature. An attacker with a low-privileged account e.g., Student can inject arbitrary JavaScript payloads into a comment. When any other user Student, Teacher, or Admin views the annotated PD...

CVE-2025-60506

CVE-2025-60506 affects Moodle PDF Annotator plugin v1.5 release 9, enabling stored XSS via Public Comments. A low-privilege user can inject JavaScript in a comment; when others view the annotated PDF, the payload runs in their browser, potentially causing session hijacking and credential theft. N...

CVE-2025-60506

Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting XSS via the Public Comments feature. An attacker with a low-privileged account e.g., Student can inject arbitrary JavaScript payloads into a comment. When any other user Student, Teacher, or Admin views the annotated PD...

CVE-2025-60506

Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting XSS via the Public Comments feature. An attacker with a low-privileged account e.g., Student can inject arbitrary JavaScript payloads into a comment. When any other user Student, Teacher, or Admin views the annotated PD...

EUVD-2012-1978

Malware in sbrugna...

EUVD-2005-2107

Malware in sbrugna...

AI as Sensemaking for Public Comments

Its become fashionable to think of artificial intelligence as an inherently dehumanizing technology, a ruthless force of automation that has unleashed legions of virtual skilled laborers in faceless form. But what if AI turns out to be the one tool able to identify what makes your ideas special,...

AIs and Fake Comments

This month, the New York state attorney general issued a report on a scheme by "U.S. Companies and Partisans to Hack Democracy." This wasn’t another attempt by Republicans to make it harder for Black people and urban residents to vote. It was a concerted attack on another core element of US...

80% of Net Neutrality Comments to FCC Were Fudged

Broadband providers and a 19-year-old college student were among those who successfully hijacked public comments during a crucial decision-making process in 2017 to overturn net neutrality by flooding the Federal Communications Commission FCC with fraudulent comments indicating their position on...

Crayon Syntax Highlighter <= 2.6.10 - Local File Disclosure

The local file syntax highlighting feature of Crayon Syntax Highlighter doesn't check the path of the file to process. Also, by default, this feature is usable through public comments. This allows unauthenticated visitors to see the content of any file where the web server has read permissions,...

persistent xss through svg file attachment download

The fix for CONF-22132 was not sufficient because "svg" files are not "said" to be xml by the isXml method. This means that is possible for a malicious party to upload a svg file containing html/javascript which will be rendered in victim's web browser. This bug should have been raised a while ag...

Diigo Toolbar crossite scripting

Crossite scripting with publiс comments...

[Full-disclosure] [DRUPAL-SA-2005-002] Drupal 4.6.2 / 4.5.4 fixes input validation issue

---------------------------------------------------------------------------- Drupal security advisory DRUPAL-SA-2005-002 ---------------------------------------------------------------------------- Advisory ID: DRUPAL-SA-2005-002 Date: 2005-jun-29 Security risk: highly critical Impact: system...

drupal -- PHP code execution vulnerabilities

Kuba Zygmunt discovered a flaw in the input validation routines of Drupal's filter mechanism. An attacker could execute arbitrary PHP code on a target site when public comments or postings are allowed...