Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-7pr5-w74r-jjj7: Mezzanine CMS has a Stored Cross-Site Scripting (XSS) vulnerability in the displayable_links_js function

Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exists in the "displayable_links_js" function, which fails to properly sanitize blog post titles before including them in JSON responses served via "/admin/displayable_links.js". An authenticated admin user can create a blog post with a malicious JavaScript payload in the title field, then trick another admin user into clicking a direct link to the "/admin/displayable_links.js" endpoint, causing the malicious script to execute in their browser.

ghsa
Open in Source
#xss#vulnerability#web#js#java#perl#auth
GHSA-j7p2-87q3-44w7: XWiki does not require right warnings for notification displayer objects

### Impact When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationDisplayerClass` object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. ### Patches This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code. ### Workarounds We're not aware of any real workarounds apart from just being careful with editing documents previously edited by untrusted users as a user with script, admin or programming right.

GHSA-m63q-4hr8-5r5h: Solon Vulnerable to Directory Traversal

Directory Traversal vulnerability in solon v.3.1.2 allows a remote attacker to conduct XSS attacks via the solon-faas-luffy component

GHSA-9qv6-4pwm-m68f: Ibexa RichText Field Type XSS vulnerabilities in back office

### Impact This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa DXP. Back office access and varying levels of editing and management permissions are required to exploit these vulnerabilities. This typically means Editor or Administrator role, or similar. Injected XSS is persistent and can be reflected in the front office, possibly affecting end users. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless. ### Patches - See "Patched versions". - https://github.com/ibexa/fieldtype-richtext/commit/4a4a170c7faa4807ae0f74c581481b835bab3caf ### Workarounds None.

GHSA-5r6x-g6jv-4v87: Ibexa Admin UI XSS vulnerabilities in back office

### Impact This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa DXP. Back office access and varying levels of editing and management permissions are required to exploit these vulnerabilities. This typically means Editor or Administrator role, or similar. Injected XSS is persistent and can be reflected in the front office, possibly affecting end users. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless. ### Patches - See "Patched versions". - https://github.com/ibexa/admin-ui/commit/72a64d90d249e5f4c4a5e8238f5d627c9b68d9b8 ### Workarounds None.

GHSA-vhgq-r8gx-5fpv: Ibexa Admin UI assets XSS vulnerabilities in back office

### Impact This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa DXP. Back office access and varying levels of editing and management permissions are required to exploit these vulnerabilities. This typically means Editor or Administrator role, or similar. Injected XSS is persistent and can be reflected in the front office, possibly affecting end users. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless. ### Patches - See "Patched versions". - https://github.com/ibexa/admin-ui-assets/commit/219b71b70aaea9321947d2dbeb49fff1b49e05f4 ### Workarounds None.

GHSA-r5rx-53g9-25rj: Ibexa eZ Platform Admin UI assets XSS vulnerabilities in back office

### Impact This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa DXP. Back office access and varying levels of editing and management permissions are required to exploit these vulnerabilities. This typically means Editor or Administrator role, or similar. Injected XSS is persistent and can be reflected in the front office, possibly affecting end users. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless. ### Patches - See "Patched versions". - https://github.com/ezsystems/ezplatform-admin-ui-assets/commit/219b71b70aaea9321947d2dbeb49fff1b49e05f4 ### Workarounds None.

GHSA-r7pm-mw8g-p7px: Ibexa eZ Platform Admin UI XSS vulnerabilities in back office

### Impact This security advisory is a part of IBEXA-SA-2025-003, which resolves XSS vulnerabilities in several parts of the back office of Ibexa DXP. Back office access and varying levels of editing and management permissions are required to exploit these vulnerabilities. This typically means Editor or Administrator role, or similar. Injected XSS is persistent and can be reflected in the front office, possibly affecting end users. The fixes ensure XSS is escaped, and any existing injected XSS is rendered harmless. ### Patches - See "Patched versions". - https://github.com/ezsystems/ezplatform-admin-ui/commit/acaa620d4ef44e7c20908dc389d48064f2c19e6d ### Workarounds None.

GHSA-2v3v-3whp-953h: starcitizentools/citizen-skin allows stored XSS in user registration date message

### Summary Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. ### Details The result of `$this->lang->userDate( $timestamp, $this->user )` returns unescaped values, but is inserted as raw HTML by Citizen: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60 ### PoC 1. Go to any page using citizen with the uselang parameter set to x-xss and while being logged in Depending on the registration date of the account you're logged in with, various messages can be shown. In my case, it's `november`: ![image](https://github.com/user-attachments/assets/252a3453-99c8-4ce1-b6d6-a8485b7a9a43) ### Impact This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right.

GHSA-g3cp-pq72-hjpv: starcitizentools/citizen-skin allows stored XSS in menu heading message

### Summary All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. ### Details The system messages for menu headings are inserted unescaped into raw HTML: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10 ### PoC 1. Go to any article using citizen with the `uselang` parameter set to `x-xss` 2. A large number of alerts will be shown for various messages, e.g.: ![image](https://github.com/user-attachments/assets/6a18ec77-d2a0-4a0d-b4aa-83359304659a) ![image](https://github.com/user-attachments/assets/eaadb8e1-58b6-41be-90d2-829c50cf75ac) On the main page of my test wiki, the following messages were shown: `navigation`, `notifications`, `user-interface-preferences`, `personaltools`, `variants`, `views`, `associated-pages`, `cactions` and `toolbox`. ### Impact This impacts wiki...