69 matches found
Persistent Cross Site Scripting - LayoutEditor Module - Settings
Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On LayoutEditor module from Settings, the type of fieldModel-label parameter is "Text" but it is not validated and it's used directly without any encoding or validation on LayoutEditor/EditField.tpl. It...
Persistent Cross-site Scripting - SlaPolicy Module - Settingss
Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On SlaPolicy module from Settings, the type of recordModel-name parameter is "Text" but it is not validated and it's used directly without any encoding or validation on SlaPolicy/EditViewBlocks.tpl. It...
Persistent Cross Site Scripting - Workflow Module - Settings
Description The application uses Purifier to avoid the Cross Site Scripting attack. However, On Workflow module from Settings, the type of workflowModel-summary parameter is not defined and validated, it's used directly without any encoding or validation on Workflows/Step1.tpl and...
aclients (>=1.0.0b31 <=1.0.1b1), aiocqhttp-sanic (>=1.2.3 <=1.2.3rc1) +71 more potentially affected by CVE-2022-35920 via sanic (>=0.3.1 <=20.12.2)
sanic PYPI version =0.3.1, =1.0.0b31, =1.2.3, =0.1.0a6, =0.6.1, =0.39.0, =0.0.4, =0.8.0, =0.0.2, =0.0.2.8.5 and more Source cves: CVE-2022-35920 Source advisory: OSV:GHSA-8CW9-5HMV-77W6...
GHSA-6RM6-MJMH-86JQ HTML Purifier Cross-site Scripting (XSS) vulnerability
Cross-site scripting XSS vulnerability in HTML Purifier before 4.1.1, as used in Mahara and other products, when the browser is Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
HTML Purifier Cross-site Scripting (XSS) vulnerability
Cross-site scripting XSS vulnerability in HTML Purifier before 4.1.1, as used in Mahara and other products, when the browser is Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...
GHSA-JW86-5CJF-MV79 HTML Purifier allows remote attackers to obtain sensitive information
HTML Purifier 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php and certain other files...
HTML Purifier allows remote attackers to obtain sensitive information
HTML Purifier 4.2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by tests/PHPT/Reporter/SimpleTest.php and certain other files...
GHSA-3P68-M5QW-9G9W HTML Purifier cross-site scripting (XSS) vulnerability
Multiple cross-site scripting XSS vulnerabilities in HTML Purifier before 4.1.0, when Internet Explorer is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 background-image, 2 background, or 3 font-family Cascading Style Sheets CSS property, a different...
HTML Purifier cross-site scripting (XSS) vulnerability
Multiple cross-site scripting XSS vulnerabilities in HTML Purifier before 4.1.0, when Internet Explorer is used, allow remote attackers to inject arbitrary web script or HTML via a crafted 1 background-image, 2 background, or 3 font-family Cascading Style Sheets CSS property, a different...
GHSA-6FH7-FWQJ-MV49 HTML Purifier Cross-site Scripting vulnerability
Cross-site scripting XSS vulnerability in smoketests/configForm.php in HTML Purifier before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "unescaped printr output."...
HTML Purifier Cross-site Scripting vulnerability
Cross-site scripting XSS vulnerability in smoketests/configForm.php in HTML Purifier before 2.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "unescaped printr output."...
Fighting Smoke with Open Source
I'm a developer advocate at Akamai and a huge proponent for the open source initiative. So, today I am going to tell you a story of how a regular person like you or me can make an impact with just a little bit of goodwill, and a pinch of open source. Early morning on August 16, around 2,500...
Nextcloud: URI scheme bypass in mail app lead to HTML content spoof and opener control
Bug When we load a HTML mail from mailbox via api, etc http://nextcloud/index.php/apps/mail/accounts//folders/SU5CT1g=/messages//html Our content will be passed to HTML Purifier to strip malicious XSS patterns. After that, an filter will apply to transform acceptable URI schemes http, https, ftp,...
TinyRise 最新版注射获取敏感信息
简要描述: TinyRise 最新版注射获取敏感信息 详细说明: 主要问题出在filterclass.php: public static function text$str $config = HTMLPurifierConfig::createDefault; $cachedir=Tiny::getPath'cache'."/htmlpurifier/"; if!fileexists$cachedir File::mkdir$cachedir; $config = HTMLPurifierConfig::createDefault; //配置 缓存目录...
TinyShop SQL注入(开启GPC,绕过过滤)
简要描述: 之前的都是找程序员的疏忽,这个位置是绕过程序的防注入。 详细说明: 环境: GPC = On public static function sql$str //过滤函数 if !getmagicquotesgpc //gpc off 就转义,把之前那个奇葩的漏洞补了 //不使用主要是因为,先有mysql的连接 //$str = mysqlrealescapestring$str; $str = addslashes$str; $str =...
[SECURITY] Fedora 19 Update: php-htmlpurifier-htmlpurifier-4.6.0-1.fc19
Standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code better known as XSS with a thoroughly audited, secure yet permissive white list, it will also make sure your documents are standards compliant, something only achievable with a...
[SECURITY] Fedora 20 Update: php-htmlpurifier-htmlpurifier-4.6.0-1.fc20
Standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code better known as XSS with a thoroughly audited, secure yet permissive white list, it will also make sure your documents are standards compliant, something only achievable with a...
Fedora 19 : php-htmlpurifier-htmlpurifier-4.6.0-1.fc19 (2014-9379)
HTML Purifier 4.6.0 is a major security release, fixing numerous bad quadratic asymptotics in HTML Purifier's core algorithms. Most users will see a decent speedup on large inputs, although small inputs may take longer. Additionally, the secure URI munging algorithm has changed to do a proper HMA...
Fedora 20 : php-htmlpurifier-htmlpurifier-4.6.0-1.fc20 (2014-9361)
HTML Purifier 4.6.0 is a major security release, fixing numerous bad quadratic asymptotics in HTML Purifier's core algorithms. Most users will see a decent speedup on large inputs, although small inputs may take longer. Additionally, the secure URI munging algorithm has changed to do a proper HMA...