CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

97 matches found

Vulnrichment•added 2025/06/04 7:59 p.m.•10 views

CVE-2025-32015 FreshRSS vulnerable to Cross-site Scripting by embedding <script> tag inside <iframe srcdoc>

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the attribute, which leads to cross-site scripting XSS by loading an attacker's UserJS inside . In order to execute the attack, the attacker needs to control one of the victim's feeds and...

6.7CVSS6.7AI score0.00378EPSS

Exploits1References2

CNNVD•added 2025/06/04 12:0 a.m.•3 views

FreshRSS 跨站脚本漏洞

FreshRSS is a free, self-hosted RSS aggregator from the FreshRSS open source. A cross-site scripting vulnerability exists in versions of FreshRSS prior to 1.26.2 that stems from improper cleanup of the iframe srcdoc attribute, which could lead to cross-site scripting attacks...

6.7CVSS5.8AI score0.00378EPSS

Exploits1References2

RedhatCVE•added 2025/05/23 8:35 a.m.•5 views

CVE-2024-32472

excalidraw is an open source virtual hand-drawn style whiteboard. A stored XSS vulnerability in Excalidraw's web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. There were two vectors. One rendering untrusted string as...

6.1CVSS5.8AI score0.00561EPSS

Exploits0References1

RedhatCVE•added 2025/05/23 5:40 a.m.•3 views

CVE-2023-0546

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to...

5.4CVSS6.3AI score0.00478EPSS

Exploits2References1

Positive Technologies•added 2024/04/17 12:0 a.m.•4 views

PT-2024-24599 · Unknown · Excalidraw

Name of the Vulnerable Software and Affected Versions: Excalidraw versions 0.16.x through 0.17.5 Excalidraw version 0.16.3 and earlier Description: A stored XSS vulnerability in Excalidraw's web embeddable component allows arbitrary JavaScript to be run in the context of the domain where the edit...

6.1CVSS6.6AI score0.00561EPSS

Exploits0References9

WPVulnDB•added 2024/01/04 12:0 a.m.•20 views

iFrame < 4.9 - Contributor+ Stored XSS

Description The plugin does not sanitise and escape the srcdoc parameter, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, however given that the malicious JS is limited to the scope of the iframe, there is no practical way to make users su...

6.5CVSS5.8AI score0.00328EPSS

Exploits0References1Affected Software1

OSV•added 2023/04/10 2:15 p.m.•2 views

CVE-2023-0546

5.4CVSS6.8AI score

Exploits0References1

SUSE CVE•added 2023/02/15 4:46 a.m.•3 views

SUSE CVE-2017-7788

When an "iframe" has a "sandbox" attribute and its content is specified using "srcdoc", that content does not inherit the containing page's Content Security Policy CSP as it should unless the sandbox attribute included "allow-same-origin". This vulnerability affects Firefox 55...

5.4CVSS8.6AI score0.02336EPSS

Exploits1References4

SUSE CVE•added 2023/02/15 3:32 a.m.•2 views

SUSE CVE-2022-3032

When receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the inner HTML document, remote objects specified in the nested document, for example images or videos, were not blocked. Rather, the network was accessed, the objects were loaded and displayed...

6.1CVSS8.9AI score0.00663EPSS

Exploits0References4

ATTACKERKB•added 2022/12/22 8:15 p.m.•3 views

CVE-2022-3032

6.5CVSS6.7AI score0.00663EPSS

Exploits0References4

OSV•added 2022/12/22 8:15 p.m.•1 views

DEBIAN-CVE-2022-3032

6.5CVSS6.8AI score0.00663EPSS

Exploits0References1

NVD•added 2022/12/22 8:15 p.m.•17 views

CVE-2022-3032

6.5CVSS0.00663EPSS

Exploits0References3

Vulnrichment•added 2022/12/22 12:0 a.m.•8 views

CVE-2022-3032

6.9AI score0.00663EPSS

Exploits0References3

Cvelist•added 2022/12/22 12:0 a.m.•18 views

CVE-2022-3032

7.3AI score0.00663EPSS

Exploits0References3

Debian CVE•added 2022/12/22 12:0 a.m.•30 views

CVE-2022-3032

6.5CVSS7.2AI score0.00663EPSS

Exploits0

RedHat Linux•added 2022/09/26 4:34 p.m.•2 views

Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue of when receiving an HTML email that contained an iframe element, which used a srcdoc attribute to define the internal HTML document, remote objects specified in the nested document for example, images or...

6.5CVSS6.9AI score0.00663EPSS

Exploits0References6

RedHat Linux•added 2022/09/26 3:57 p.m.•1 views

Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked

6.5CVSS6.9AI score0.00663EPSS

Exploits0References6

RedHat Linux•added 2022/09/26 3:41 p.m.•1 views

Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked

6.5CVSS6.9AI score0.00663EPSS

Exploits0References6

RedHat Linux•added 2022/09/26 3:37 p.m.•1 views

Mozilla: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked