Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-35933: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in prestashop/productcomments

This package is a PrestaShop module that allows users to post reviews and rate products. There is a vulnerability where the attacker could steal an administrator's cookie. The issue is fixed in version 5.0.2.

CVE
#xss#vulnerability#web
OX App Suite Cross Site Scripting / Command Injection

OX App Suite versions 8.2 and earlier suffer from multiple cross site scripting vulnerabilities. Versions 7.10.6 and earlier suffer from a command injection vulnerability.

WordPress Netroics Blog Posts Grid 1.0 Cross Site Scripting

WordPress Netroics Blog Posts Grid plugin version 1.0 suffers from a persistent cross site scripting vulnerability.

CVE-2022-25370

Apache OFBiz uses the Birt plugin (https://eclipse.github.io/birt-website/) to create data visualizations and reports. In Apache OFBiz release 18.12.05, and earlier versions, by leveraging a vulnerability in Birt (https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142), an unauthenticated malicious user could perform a stored XSS attack in order to inject a malicious payload and execute it using the stored XSS.

CVE-2022-36637: Vulnerability of Garage Management System 1.0

Garage Management System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via the brand_name parameter at /brand.php.

CVE-2022-36600: Cross-Site Scripting (XSS) in "/blogengine/api/posts" · Issue #254 · BlogEngine/BlogEngine.NET

BlogEngine v3.3.8.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /blogengine/api/posts. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description field.

CVE-2022-37679: Cross-Site Scripting (XSS) in "/posts" · Issue #178 · madskristensen/Miniblog.Core

Miniblog.Core v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /blog/edit. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Excerpt field.

GHSA-gp7f-rwcx-9369: jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled

jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow cross-site scripting (XSS) attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. ### Impact Sites that accept input HTML from users and use jsoup to sanitize that HTML, may be vulnerable to cross-site scripting (XSS) attacks, if they have enabled `SafeList.preserveRelativeLinks` and do not set an appropriate Content Security Policy. ### Patches This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. ### Workarounds To remediate this issue without immediately u...

CVE-2022-2256: Invalid Bug ID

A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.