#xss

### Description Leantime allows stored cross-site scripting (XSS) in the API key name while generating the API key. ### Impact Any low privileged user like manager, or editor, can create an API key with XSS payload. When admin will visit the Company page, the XSS will automatically get triggerred leading to the unauthorized action performed from the ADMIN account. Like, removing any user, or adding someone else as high privilege, and many more.

### Summary A cross-site scripting (XSS) vulnerability has been identified in Leantime. The vulnerability allows an attacker to inject malicious scripts into certain fields, potentially leading to the execution of arbitrary code or unauthorized access to user-sensitive information. The code does not include any validation or sanitization of the $_GET["id"] parameter. As a result, it directly incorporates the user-supplied value into the source path without any checks.

### Summary Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. ### Details A Stored Cross-Site Scripting (XSS) vulnerability was found that could potentially compromise user data and pose a significant security risk to the platform. ### PoC - Create a project - Navigate to project - Visit to the integration - Add malicious payload inside the webhook and save it. - Notice the alert dialogue indicating successful execution of the XSS payload. ``` '';!--" onfocus=alert(0) autofocus="" onload=alert(3);="&{(alert(1))}" |="" mufazmi"=" ``` ``` '';!--" onfocus=alert(0) autofocus="" onload=alert(3);=>>"&{(alert(1))}" |="">> mufazmi"=">> ``` ### POC https://youtu.be/kqKFgsOqstg ### Impact This XSS vulnerability allows an attacker to execute malicious scripts in the context of a victim's browser when they click on a specially crafted link. This could lead to various m...

### Summary The vulnerability in Leantime's "overdue" section allows attackers to upload malicious image files containing XSS payloads. When other users view these files, the scripts execute, enabling attackers to steal sensitive information or perform unauthorized actions. Improving input validation and output encoding in the file upload process can prevent this exploit. Accessing and enhancing the relevant source code modules is crucial for addressing this security flaw effectively. ### Impact This XSS vulnerability allows attackers to inject malicious scripts into the Leantime application, compromising user data, session tokens, and potentially executing unauthorized actions on behalf of users. Exploitation could lead to account takeover, data theft, and unauthorized access to sensitive information, posing a significant risk to user privacy, data integrity, and system security.

STORED XSS +OPEN REDIRECTION in SVG uploads Vulnerable url:https://hack.leantime.io/projects/showProject/3

### Summary A Reflected Cross-site Scripting (XSS) vulnerability enables attackers to create malicious URLs that, when visited, inject scripts into the web application. This can lead to session hijacking or phishing attacks on a trusted domain, posing a moderate risk to all users. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ It's possible to inject html elements, including scripts through the [folder-list template](https://github.com/oxyno-zeta/s3-proxy/blob/master/templates/folder-list.tpl#L19C21-L19C38). It seems like the `.Request.URL.Path` variable is not escaped. I did some research and found it might be due to the `text/template` import being used in [the template implementation](https://github.com/oxyno-zeta/s3-proxy/blob/master/pkg/s3-proxy/utils/templateutils/template.go#L8), instead of the [safer](https://pkg.go.dev/html/template) `html/template`. ### PoC _Complete instructions, including ...

### Impact During a recent internal audit, we identified a Cross-Site Scripting (XSS) vulnerability in the CKEditor 5 real-time collaboration package. This vulnerability can lead to unauthorized JavaScript code execution and affects user markers, which represent users' positions within the document. This vulnerability affects only installations with [Real-time collaborative editing](https://ckeditor.com/docs/ckeditor5/latest/features/collaboration/real-time-collaboration/real-time-collaboration.html) enabled. ### Patches The problem has been recognized and patched. The fix will be available in version 44.2.1 (and above). ### For more information Email us at [security@cksource.com](mailto:security@cksource.com) if you have any questions or comments about this advisory.

A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.

### Summary The `vlSelectionTuples` function can be used to call JavaScript functions, leading to XSS. ### Details [`vlSelectionTuples`](https://github.com/vega/vega/blob/b45cf431cd6c0d0c0e1567f087f9b3b55bc236fa/packages/vega-selections/src/selectionTuples.js#L14) calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. Example call: `vlSelectionTuples([{datum:<argument>}], {fields:[{getter:<function>}]})` This can be used to call `Function()` with arbitrary JavaScript and the resulting function can be called with `vlSelectionTuples` or using a type coercion to call `toString` or `valueOf`. ### PoC ``` {"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","init":"+{valueOf:vlSelectionTuples([{datum:'alert(1)'}],{fields:[{getter:[].at.constructor}]})[0].values[0]}"}]} ```

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia.  The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    For Snort