Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping

Summary When dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a or block could break out of the tag with , , etc. and inject arbitrary HTML/JavaScript, resulting in...

UBUNTU-CVE-2013-5855

Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a 1 tag or 2 EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting XSS attacks via application-specific vectors...