Cross-site Scripting (XSS)

Overview golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the childTextNodesAreLiteral function in render.go. An attacker can cause the execution of scripts in the context o...

Cross-site Scripting (XSS)

Overview github.com/golang/net/html is a package that implements an HTML5-compliant tokenizer and parser. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the childTextNodesAreLiteral function in render.go. An attacker can cause the execution of scripts in the...

GHSA-3RCM-VJRC-P45J JustHTML has a Sanitizer Bypass (in Markdown)

Summary tomarkdown does not sufficiently escape text content that looks like HTML. As a result, untrusted input that is safe in tohtml can become raw HTML in Markdown output. This is not specific to tokenizer raw-text states like , , or , although those states can trigger the behavior. The root...

EUVD-2023-3037

Malicious code in bioql PyPI...

Mutation Cross-Site Scripting (mXSS)

tinymce is vulnerable to mutation cross-site scripting mXSS. The vulnerability is caused due to lack of sanitization in handling of text nodes.This could allow an attacker to inject malicious scripts...

Oracle Linux 9 : podman (ELSA-2023-6474)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-6474 advisory. - rebuild for following CVEs: CVE-2023-25173 CVE-2022-41724 CVE-2022-41725 CVE-2023-24537 CVE-2023-24538 CVE-2023-24534 CVE-2023-24536 CVE-2022-41723...

UBUNTU-CVE-2023-48219

TinyMCE is an open source rich text editor. A mutation cross-site scripting mXSS vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text...

GHSA-V626-R774-J7F8 TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes

Impact A mutation cross-site scripting mXSS vulnerability was discovered in TinyMCE’s core undo/redo functionality and other APIs and plugins. Text nodes within specific parents are not escaped upon serialization according to the HTML standard. If such text nodes contain a special character...

TinyMCE -- mXSS in multiple plugins

TinyMCE reports: Special characters in unescaped text nodes can trigger mXSS when using TinyMCE undo/redo, getContentAPI, resetContentAPI, and Autosave plugin...

Improper rendering of text nodes in golang.org/x/net/html

...

Cross-Site Scripting (XSS)

github.com/golang/net is vulnerable to Cross-Site Scripting XSS attacks. The library does not properly escape user input in text nodes outside the HTML namespace, allowing an attacker to inject and execute malicious JavaScript on a victim's browser...

AZL-42867 CVE-2023-3978 affecting package multus for versions less than 4.0.2-2

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack...

AZL-43555 CVE-2023-3978 affecting package podman 4.1.1-26

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack...

AZL-31858 CVE-2023-3978 affecting package multus for versions less than 4.0.2-5

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack...

AZL-27813 CVE-2023-3978 affecting package kubevirt for versions less than 0.59.0-24

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack...

AZL-34907 CVE-2023-3978 affecting package kubevirt for versions less than 1.2.0-1

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack...

AZL-34542 CVE-2023-3978 affecting package application-gateway-kubernetes-ingress for versions less than 1.7.7-1

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack...

CVE-2023-3978

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack...

SUSE CVE-2011-1344

Use-after-free vulnerability in WebKit, as used in Apple Safari before 5.0.5; iOS before 4.3.2 for iPhone, iPod, and iPad; iOS before 4.2.7 for iPhone 4 CDMA; and possibly other products allows remote attackers to execute arbitrary code by adding children to a WBR tag and then removing the tag,...

SUSE CVE-2013-1821

lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service memory consumption and crash via crafted text nodes in an XML document, aka an XML Entity Expansion XEE attack...