#xss

The ABB BMS/BAS controller suffers from an unauthenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'redirect' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

A stored cross-site scripting (XSS) vulnerability in the Device Settings section of LibreNMS v24.9.0 to v24.10.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name parameter.

The vulnerability was first identified in 2014.

Cisco encourages users to update to an unaffected version of its Adaptive Security Appliance (ASA) software since there are no workarounds for the 2014 vulnerability.

### Summary The application allows users to upload files with scripts in the filename parameter. As a result, a malicious user can upload a script file to the system. When users in the application use the "Diff or Compare" functionality, they are affected by a Stored Cross-Site Scripting vulnerability. ### Details I found a Stored Cross-Site Scripting vulnerability in the "Diff or Compare" functionality. This issue occurs because the upload functionality allows users to upload files with special characters such as <, >, /, and " in the filename. This vulnerability can be mitigated by restricting file uploads to filenames containing only whitelisted characters, such as A-Z, 0-9, and specific special characters permitted by business requirements, like - or _ . ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ 1. On MobSF version 4.2.8, I clicked on "Unload & Analyze" button. ![0](https://github.com/user-attachments/assets/489013...

Debian Linux Security Advisory 5823-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. Clement Lecigne and Benoit Sevens discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems. Clement Lecigne and Benoit Sevens discovered that processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

Red Hat Security Advisory 2024-10748-03 - An update for thunderbird is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

Red Hat Security Advisory 2024-10745-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

Red Hat Security Advisory 2024-10743-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.

Red Hat Security Advisory 2024-10742-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Issues addressed include bypass, cross site scripting, and spoofing vulnerabilities.