#xss

# Unauthorized Reflected XSS in the constructor of the `Downloader` class **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a XSS-type attack **Impact**: execution of arbitrary JavaScript code in the browser **Vulnerable component**: the constructor of the `Downloader` class **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the `name` and `type` variables **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the `Downloader` class) in Phpspreadsheet. ...

The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field. ### Impact An attacker could trick the user to copy&paste a malicious `javascript:` URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. See https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8 ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.12 or later. ### Workarounds This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly p...

# Unauthorized Reflected XSS in `Convert-Online.php` file **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` script, an attacker can perform a XSS-type attack **Impact**: executing arbitrary JavaScript code in the browser **Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the quantity variable **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Convert-Online.php` file) in Php...

The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated reflected cross-site scripting vulnerability in the 'title' GET parameter. Input is not properly sanitized before being returned to the user, allowing the execution of arbitrary HTML/JS code in a user's browser session in the context of the affected site. While the factory test scripts included in the upgrade bundle are typically deleted, a short window for exploitation exists when the device is in the manufacturing phase.

# Reflected XSS at /lgsl_files/lgsl_list.php **Description:** Vulnerability: A reflected XSS vulnerability exists in the `Referer` HTTP header of [LGSL v6.2.1](https://github.com/tltneon/lgsl/releases/tag/v6.2.1). The vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in the HTML response without proper sanitization. When crafted malicious input is provided in the `Referer` header, it is echoed back into an HTML attribute in the application’s response. The vulnerability is present at [Line 20-24](https://github.com/tltneon/lgsl/blob/master/lgsl_files/lgsl_list.php#L20-L24) ```php $uri = $_SERVER['REQUEST_URI']; if ($lgsl_config['preloader']) { $uri = $_SERVER['HTTP_REFERER']; } ``` **Proof of Concept:** 1. Capture a request to the path `/lgsl_files/lgsl_list.php`. 2. Inject the following payload into the Referer header: `test'><script>alert(1)</script><`. 3. Send the request. 4. The XSS payload is triggered when reloading. ![image](h...

### Impact A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user's session until the token expires or is manually cleared. This vulnerability hinges on the attacker's ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim's device. ### Patches Although there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk. ### Workarounds If self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies fr...

Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting (XSS) vulnerability via /admin/auth/menu and /admin/auth/extensions.

Dcat Admin v2.2.0-beta contains a cross-site scripting (XSS) vulnerability in /admin/articles/create.

### Summary A stored cross-site scripting (XSS) vulnerability was identified in lgsl. The issue arises from improper sanitation of user input. Everyone who accesses this page will be affected by this attack. ### Details The function `lgsl_query_40` in `lgsl_protocol.php` has implemented an HTTP crawler. This function makes a request to the registered game server, and upon crawling the malicious `/info` endpoint with our payload, will render our javascript on the info page. This information is being displayed via `lgsl_details.php` #### Affected Code: ```php foreach ($server['e'] as $field => $value) { $value = preg_replace('/((https*:\/\/|https*:\/\/www\.|www\.)[\w\d\.\-\/=$?​]*)/i', "<a href='$1' target='_blank'>$1</a>", html_entity_decode($value)); $output .= " <tr><td> {$field} </td><td> {$value} </td></tr>"; } ``` ### PoC 1. Create a game server with type `eco` and set the target host and port accordingly to your ttack server. I have crafted...

Marp Core ([`@marp-team/marp-core`](https://www.npmjs.com/package/@marp-team/marp-core)) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-site scripting (XSS) due to improper neutralization of HTML sanitization. ### Impact Marp Core includes an HTML sanitizer with allowlist support. In the affected versions, the built-in allowlist is enabled by default. When the allowlist is active, if insufficient HTML comments are included, the sanitizer may fail to properly sanitize HTML content and lead cross-site scripting (XSS). ### Patches Marp Core [v3.9.1](https://github.com/marp-team/marp-core/releases/tag/v3.9.1) and [v4.0.1](https://github.com/marp-team/marp-core/releases/tag/v4.0.1) have been patched to fix that. ### Workarounds If you are unable to update the package immediately, disable all HTML tags by setting `html: false` option in the `Marp` class constructor. ```javascript const marp = new Marp({ html: false }) ``` ### References - [CWE-79: Improper Neutralization...