#xss

Red Hat Security Advisory 2024-8720-03 - An update for firefox is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include cross site scripting, denial of service, spoofing, and use-after-free vulnerabilities.

Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the underlying library converts these encoded characters into legitimate HTML, thereby possibly causing stored XSS. Attackers can append a XSS payload to a word that has a corresponding glossary entry.

Red Hat Security Advisory 2024-8678-03 - An update for grafana is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Issues addressed include a cross site scripting vulnerability.

A vulnerability was identified in Consul and Consul Enterprise such that the server response did not explicitly set a Content-Type HTTP header, allowing user-provided inputs to be misinterpreted and lead to reflected XSS.

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated reflected cross-site scripting vulnerability. Input passed to the GET parameters query and application is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Red Hat Security Advisory 2024-8534-03 - An update is now available for Red Hat Ansible Automation Platform 2.5. Issues addressed include cross site scripting and memory exhaustion vulnerabilities.

Using a malicious Chrome extension, researchers showed how an attacker could use a now-fixed bug to inject custom code into a victim's Opera browser to exploit special and powerful APIs, used by developers and typically saved for only the most trusted sites.

The ABB BMS/BAS controller suffers from an unauthenticated reflected cross-site scripting vulnerability. Input passed to the GET parameters 'query' and 'application' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file.

Booked Scheduler version 2.8.5 suffers from cross site scripting and open redirection vulnerabilities.