#xss

A vulnerability, which was classified as problematic, was found in Gravity Forms DPS PxPay Plugin up to 1.4.2 on WordPress. Affected is an unknown function. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.4.3 is able to address this issue. The name of the patch is 5966a5e6343e3d5610bdfa126a5cfbae95e629b6. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230664.

### Impact Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in the Rancher UI. Cross-Site scripting allows a malicious user to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims. This could result in a user with write access to the affected areas being able to act on behalf of an administrator, once an administrator opens the affected web page. The affected areas include the Projects/Namespaces and Auth Provider sections. The attacker needs to be authenticated and have write access to those features in order to exploit the vulnerabilities. Some of the permissions (roles) required are: - Project Owner. - Restricted Admin. - Configure Authentication. - Administrator. - Custom RBAC Role that provides write access on Projects or External Authentication Providers. For users that suspect this vulnerability may have t...

### Impact #### Description: JStachio fails to escape single quotes `'` in HTML, allowing an attacker to inject malicious code. #### Reproduction Steps: Use the following template code: ```html <div attr='{{value}}'></div> ``` Set the value variable to `' onblur='alert(1)`. ```java public class Escaping { public static void main(String[] args) { Model model = new Model("' onblur='alert(1)"); String result = AttributeTemplate.of().execute(model); System.out.println(result); } @JStache(template = "<div attr='{{value}}'></div>", name="AttributeTemplate") @JStacheConfig(contentType= Html.class) public static class Model { public final String value; public Model(String value) { this.value = value; } public String getValue() { return value; } } } ``` Expected Result: The resulting output should have properly escaped the single quotes and not execute the inject...

Avo is an open source ruby on rails admin panel creation framework. In affected versions some avo fields are vulnerable to Cross Site Scripting (XSS) when rendering html based content. Attackers do need form edit privilege in order to successfully exploit this vulnerability, but the results are stored and no specific timing is required. This issue has been addressed in commit `7891c01e` which is expected to be included in the next release of avo. Users are advised to configure CSP headers for their application and to limit untrusted user access as a mitigation.

Minical 1.0.0 is vulnerable to Cross Site Scripting (XSS). The vulnerability exists due to insufficient input validation in the application's user input handling in the security_helper.php file.

Kanboard is open source project management software that focuses on the Kanban methodology. A stored Cross site scripting (XSS) allows an attacker to execute arbitrary Javascript and any user who views the task containing the malicious code will be exposed to the XSS attack. Note: The default CSP header configuration blocks this javascript attack. This issue has been addressed in version 1.2.30. Users are advised to upgrade. Users unable to upgrade should ensure that they have a restrictive CSP header config.

Total CMS version 1.7.4 suffers from a cross site scripting vulnerability.

Barebones CMS version 2.0.2 suffers from a persistent cross site scripting vulnerability.

WordPress Circle Progress plugin version 1.0 suffers from a persistent cross site scripting vulnerability.

Reportlab up to v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.