#xss

# Reflected XSS at /lgsl_files/lgsl_list.php **Description:** Vulnerability: A reflected XSS vulnerability exists in the `Referer` HTTP header of [LGSL v6.2.1](https://github.com/tltneon/lgsl/releases/tag/v6.2.1). The vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in the HTML response without proper sanitization. When crafted malicious input is provided in the `Referer` header, it is echoed back into an HTML attribute in the application’s response. The vulnerability is present at [Line 20-24](https://github.com/tltneon/lgsl/blob/master/lgsl_files/lgsl_list.php#L20-L24) ```php $uri = $_SERVER['REQUEST_URI']; if ($lgsl_config['preloader']) { $uri = $_SERVER['HTTP_REFERER']; } ``` **Proof of Concept:** 1. Capture a request to the path `/lgsl_files/lgsl_list.php`. 2. Inject the following payload into the Referer header: `test'><script>alert(1)</script><`. 3. Send the request. 4. The XSS payload is triggered when reloading. ![image](h...

### Impact A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user's session until the token expires or is manually cleared. This vulnerability hinges on the attacker's ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim's device. ### Patches Although there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk. ### Workarounds If self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies fr...

Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting (XSS) vulnerability via /admin/auth/menu and /admin/auth/extensions.

Dcat Admin v2.2.0-beta contains a cross-site scripting (XSS) vulnerability in /admin/articles/create.

### Summary A stored cross-site scripting (XSS) vulnerability was identified in lgsl. The issue arises from improper sanitation of user input. Everyone who accesses this page will be affected by this attack. ### Details The function `lgsl_query_40` in `lgsl_protocol.php` has implemented an HTTP crawler. This function makes a request to the registered game server, and upon crawling the malicious `/info` endpoint with our payload, will render our javascript on the info page. This information is being displayed via `lgsl_details.php` #### Affected Code: ```php foreach ($server['e'] as $field => $value) { $value = preg_replace('/((https*:\/\/|https*:\/\/www\.|www\.)[\w\d\.\-\/=$?​]*)/i', "<a href='$1' target='_blank'>$1</a>", html_entity_decode($value)); $output .= " <tr><td> {$field} </td><td> {$value} </td></tr>"; } ``` ### PoC 1. Create a game server with type `eco` and set the target host and port accordingly to your ttack server. I have crafted...

Marp Core ([`@marp-team/marp-core`](https://www.npmjs.com/package/@marp-team/marp-core)) from v3.0.2 to v3.9.0 and v4.0.0, are vulnerable to cross-site scripting (XSS) due to improper neutralization of HTML sanitization. ### Impact Marp Core includes an HTML sanitizer with allowlist support. In the affected versions, the built-in allowlist is enabled by default. When the allowlist is active, if insufficient HTML comments are included, the sanitizer may fail to properly sanitize HTML content and lead cross-site scripting (XSS). ### Patches Marp Core [v3.9.1](https://github.com/marp-team/marp-core/releases/tag/v3.9.1) and [v4.0.1](https://github.com/marp-team/marp-core/releases/tag/v4.0.1) have been patched to fix that. ### Workarounds If you are unable to update the package immediately, disable all HTML tags by setting `html: false` option in the `Marp` class constructor. ```javascript const marp = new Marp({ html: false }) ``` ### References - [CWE-79: Improper Neutralization...

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'name' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'name' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

A vulnerability in Koji was found. An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the resulting web page. It is not expected to be able to submit an action or make a change in Koji due to existing XSS protections in the code.

A vulnerability was found in the WildFly management console. A user may perform cross-site scripting in the deployment system. An attacker (or insider) may execute a malicious payload which could trigger an undesired behavior against the server. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.7.Final](https://github.com/hal/console/releases/tag/v3.7.7) ### Workarounds No workaround available ### References See also: https://issues.redhat.com/browse/WFLY-19969