Tag
#xss
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk DataMosaix Private Cloud Vulnerabilities: Weak Authentication, Improper Encoding or Escaping of Output 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to take over accounts, steal credentials, redirect users to a malicious website, or bypass MFA. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of FactoryTalk DataMosaix Private Cloud are affected: FactoryTalk DataMosaix Private Cloud: Versions 7.11, 8.00, 8.01 (CVE-2025-11084) FactoryTalk DataMosaix Private Cloud: Versions 7.11, 8.00 (CVE-2025-11085) 3.2 VULNERABILITY OVERVIEW 3.2.1 WEAK AUTHENTICATION CWE-1390 A security issue exists within DataMosaix™ Private Cloud, allowing attackers to bypass MFA during setup and obtain a valid login-token cookie without knowing the users password. This vulnerability occurs when MFA is enabled...
Behind every click, there’s a risk waiting to be tested. A simple ad, email, or link can now hide something dangerous. Hackers are getting smarter, using new tools to sneak past filters and turn trusted systems against us. But security teams are fighting back. They’re building faster defenses, better ways to spot attacks, and stronger systems to keep people safe. It’s a constant race — every
### Summary A Stored Cross Site Scripting is present in the changedetection.io Watch update API due to unsufficient security checks. ### Details Tested on changedetection.io version *v0.50.24* ```console REPOSITORY TAG IMAGE ID CREATED SIZE ghcr.io/dgtlmoon/changedetection.io latest 0367276509a0 23 hours ago 599MB ``` When a user tries to add an unsafe URL as a Watch in the changedetection.io UI, the action is blocked with the error message "Watch protocol is not permitted by SAFE_PROTOCOL_REGEX or incorrect URL format". This is catched by the function `validate_url(test_url)`. ```python def validate_url(test_url): # ... from .model.Watch import is_safe_url if not is_safe_url(test_url): # This should be wtforms.validators. raise ValidationError('Watch protocol is not permitted by SAFE_PROTOCOL_REGEX or incorrect URL format') ``` When instead the Watch API is used, this check is not performed resul...
Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network.
### Impact The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. **Who is impacted:** - Any application using prosemirror_to_html to convert ProseMirror documents to HTML - Applications that process user-generated ProseMirror content are at highest risk - End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers **Attack vectors include:** - `href` attributes with `javascript:` protocol: `<a href="javascript:alert(document.cookie)">` - Event handlers: `<div onclick="maliciousCode()">` - `onerror` attributes on images: `<img src=x onerror="alert('XSS')">` - Other HTML attributes that can execute JavaScript ### Patches A fix is currently in development. Users should upgrade to version **0.2.1** or later once released. The patch escapes all HTML ...
### Summary Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) `execute` events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. ### Details ROOT CAUSE ANALYSIS: Open WebUI's Direct Connections feature allows users to add external OpenAI-compatible model servers without proper validation of the Server-Sent Events (SSE) these servers emit. VULNERABLE COMPONENT: Frontend SSE Event Handler The frontend JavaScript code processes SSE events from external servers and specifically handles an `execute` eve...
### Summary The functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the prompt body is assigned to the DOM sink `.innerHtml` without sanitisation. Any user with permissions to create prompts can abuse this to plant a payload that could be triggered by other users if they run the corresponding `/` command to insert the prompt. ### Details The affected line is https://github.com/open-webui/open-webui/blob/7a83e7dfa367d19f762ec17cac5e4a94ea2bd97d/src/lib/components/common/RichTextInput.svelte#L348 ```js export const replaceCommandWithText = async (text) => { const { state, dispatch } = editor.view; const { selection } = state; const pos = selection.from; // Get the plain text of this document // const docText = state.doc.textBetween(0, state.doc.content.size, '\n', '\n'); // Find the word boundaries at cursor const { start, end } = getWordBoundsAtPos(state.doc, pos); let tr = sta...
A vulnerability in Nuxt DevTools has been fixed in version **2.6.4***. This issue may have allowed Nuxt auth token extraction via XSS under certain configurations. All users are encouraged to upgrade.
### Impact The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. **Who is impacted:** - Any application using prosemirror_to_html to convert ProseMirror documents to HTML - Applications that process user-generated ProseMirror content are at highest risk - End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers **Attack vectors include:** - `href` attributes with `javascript:` protocol: `<a href="javascript:alert(document.cookie)">` - Event handlers: `<div onclick="maliciousCode()">` - `onerror` attributes on images: `<img src=x onerror="alert('XSS')">` - Other HTML attributes that can execute JavaScript ### Patches A fix is currently in development. Users should upgrade to version **0.2.1** or later once released. The patch escapes all HTML attribute...
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Advantech Equipment: DeviceOn/iEdge Vulnerabilities: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in a denial-of-service condition, remote code execution, or an attacker reading arbitrary files. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of DeviceOn/iEdge, an IoT management platform, is affected: DeviceOn/iEdge: Version 2.0.2 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79 Insufficient input sanitization in the dashboard label or path can allow an attacker to trigger a device error causing information disclosure or data manipulation. CVE-2025-64302 has been assigned to this vuln...