Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-p2wg-8h29-874v: Drupal Link field display mode formatter Cross-Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Link field display mode formatter allows Cross-Site Scripting (XSS). This issue affects Link field display mode formatter: from 0.0.0 before 1.6.0.

ghsa
#xss#vulnerability#web#auth
GHSA-5r66-vgc7-2mm3: Drupal Formatter Suite Vulnerable to Cross-Site Scripting (XSS) via Link Element Attributes

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Formatter Suite allows Cross-Site Scripting (XSS).This issue affects Formatter Suite: from 0.0.0 before 2.1.0.

GHSA-86h4-w859-3hhv: Drupal RapiDoc OAS Field Formatter Cross-Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal RapiDoc OAS Field Formatter allows Cross-Site Scripting (XSS). This issue affects RapiDoc OAS Field Formatter: from 0.0.0 before 1.0.1.

GHSA-36vv-q5jv-94cj: Drupal Google Tag Cross-Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Google Tag allows Cross-Site Scripting (XSS). This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8.

GHSA-rhxm-r44m-4325: Drupal Ignition Cross-Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Ignition Error Pages allows Cross-Site Scripting (XSS). This issue affects Ignition Error Pages: from 0.0.0 before 1.0.4.

GHSA-8r2q-865v-wm8j: Drupal SpamSpan Cross-Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal SpamSpan filter allows Cross-Site Scripting (XSS). This issue affects SpamSpan filter: from 0.0.0 before 3.2.1.

GHSA-m4wj-hhwj-47qp: Drupal Core Cross-Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.14, from 10.4.0 before 10.4.5, from 11.0.0 before 11.0.13, from 11.1.0 before 11.1.5.

When bots commit: AI-generated code in open source projects

Open source software is the backbone of the modern technology landscape. Enterprises small and large, across industries, rely on open source projects to power critical applications and infrastructure. With the rise of AI-driven code generation tools, developers have a whole new frontier to explore. But while AI-generated contributions might supercharge productivity, they also raise new concerns around security, safety and governance. Below we explore the dynamics of open source projects, how AI-generated code can influence enterprise software and what considerations and best practices you shou

GHSA-gr7w-hmch-25g7: gifplayer XSS vulnerability

### Impact XSS vulnerability. All versions under 0.3.7 are impacted ### Patches Please upgrade to 0.3.7

GHSA-2j42-h78h-q4fg: Beego allows Reflected/Stored XSS in Beego's RenderForm() Function Due to Unescaped User Input

### Summary A Cross-Site Scripting (XSS) vulnerability exists in Beego's `RenderForm()` function due to improper HTML escaping of user-controlled data. This vulnerability allows attackers to inject malicious JavaScript code that executes in victims' browsers, potentially leading to session hijacking, credential theft, or account takeover. The vulnerability affects any application using Beego's `RenderForm()` function with user-provided data. Since it is a high-level function generating an entire form markup, many developers would assume it automatically escapes attributes (the way most frameworks do). ### Details The vulnerability is located in the `renderFormField()` function in Beego's `templatefunc.go` file (around lines 316-356). This function directly injects user-provided values into HTML without proper escaping: ```go return fmt.Sprintf(`%v<input%v%v name="%v" type="%v" value="%v"%v>`, label, id, class, name, fType, value, requiredString) ``` None of the values (label,...