#xss

### Summary An HTML injection vulnerability in plaintext emails generated by Mailgen has been discovered. Your project is affected if you use the `Mailgen.generatePlaintext(email)` method and pass in user-generated content. The issue was discovered and reported by Edoardo Ottavianelli (@edoardottt). ### Details The following function (inside index.js) is intended to strip all HTML content to produce a plaintext string. ```javascript // Plaintext text e-mail generator Mailgen.prototype.generatePlaintext = function (params) { // Plaintext theme not cached? if (!this.cachedPlaintextTheme) { throw new Error('An error was encountered while loading the plaintext theme.'); } // Parse email params and get back an object with data to inject var ejsParams = this.parseParams(params); // Render the plaintext theme with ejs, injecting the data accordingly var output = ejs.render(this.cachedPlaintextTheme, ejsParams); // Definition of the <br /> tag ...

### Summary An authenticated party can add a malicious name to the Energy entity, allowing for Cross-Site Scripting attacks against anyone who can see the Energy dashboard, when they hover over any information point (The blue bar in the picture below) <img width="955" height="568" alt="1_cens" src="https://github.com/user-attachments/assets/ed855216-c306-4b50-affc-cda100e72b74" /> An alternative, and more impactful scenario, is that the entity gets a malicious name from the provider of the Entity (in this case the energy provider: Tibber), and gets exploited that way, through the default name. ### Details The incriminating entity in my scenario is from the Tibber integration, as shown in the screenshot below: <img width="822" height="309" alt="2_cens" src="https://github.com/user-attachments/assets/d0d5a7aa-8d0c-4dcb-825b-e4cb8ea8885b" /> The exploit should be possible regardless of the Energy integration, as the user can name the entity themselves and as such pick a malicious na...

Malicious script injection ('Cross-site Scripting') vulnerability in Apache Geode web-api (REST). This vulnerability allows an attacker that tricks a logged-in user into clicking a specially-crafted link to execute code on the returned page, which could lead to theft of the user's session information and even account takeover. This issue affects Apache Geode: all versions prior to 1.15.2. Users are recommended to upgrade to version 1.15.2, which fixes the issue.

### Summary Reflected-XSS in `report_this` function in `librenms/includes/functions.php` ### Details Recently, it was discovered that the `report_this` function had improper filtering (`htmlentities` function was incorrectly used in a href environment), which caused the `project_issues` parameter to trigger an XSS vulnerability. The Vulnerable Sink: https://github.com/librenms/librenms/blob/master/includes/functions.php#L444 ### PoC GET `project_issues=javascript:alert(document.cookie)` ### Impact XSS vulnerabilities allow attackers to execute malicious scripts in users' browsers, enabling unauthorized access to sensitive data, session hijacking, or malware distribution. ### Suggestion It is recommended to filter dangerous protocols, e.g. `javascript:`/`file:`.

Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into a user’s first, middle or last name text field to (1) page comments widget, (2) blog entry comments, (3) document and media document comments, (4) message board messages, (5) wiki page comments or (6) other widgets/apps that supports mentions.

Every week, the cyber world reminds us that silence doesn’t mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done. This week’s edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons.

Cross-Site Scripting vulnerability in attribute table in QGIS QWC2 < 2025.08.14 allows an authorized attacker to plant arbitrary JavaScript code in the page.

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

Stored cross-site scripting (XSS) vulnerability on the Membership page in Account Settings in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via a crafted payload injected into a Account's “Name“ text field.

Stored cross-site scripting (XSS) vulnerability in Commerce’s view order page in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 8 through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into an Account’s “Name” text field.