Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-fj2w-qmjp-3rjm: Gollum 5.0 before 5.1.2 vulnerable to cross-site scripting via filename parameter to New Page dialog

Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the 'New Page' dialog.

ghsa
Open in Source
#xss#git
GHSA-prc3-vjfx-vhm9: Angular (deprecated package) Cross-site Scripting

All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements. NPM package [angular](https://www.npmjs.com/package/angular) is deprecated. Those who want to receive security updates should use the actively maintained package [@angular/core](https://www.npmjs.com/package/@angular/core).

CVE-2022-25869: Cross-site Scripting (XSS) in org.webjars.bowergithub.angular:angular | CVE-2022-25869 | Snyk

All versions of package angular are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.

GHSA-6f85-3f8q-qc94: OroCommerce vulnerable to XSS when adding class name to Selector Manager on pages that use GrapeJS editor

# Impact Due to insufficient class name validation in GrapeJS library it's possible to add executable JS code in class name through Selector Manager # Relates to - [https://github.com/artf/grapesjs/issues/4411](https://github.com/artf/grapesjs/issues/4411) # Patch Update GrapeJS dependency to >=[v0.19.5](https://github.com/artf/grapesjs/releases/tag/v0.19.5)

CVE-2022-23201: Adobe Security Bulletin

Adobe RoboHelp versions 2020.0.7 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

GHSA-mxvc-fwgx-j778: Whoogle Search cross-site scripting via string parameter

The package whoogle-search before 0.7.2 is vulnerable to Cross-site Scripting (XSS) via the query string parameter q. In the case where it does not contain the http string, it is used to build the error_message that is then rendered in the error.html template, using the [flask.render_template](https://flask.palletsprojects.com/en/2.1.x/api/flask.render_template) function. However, the error_message is rendered using the [| safe filter](https://jinja.palletsprojects.com/en/3.1.x/templates/working-with-automatic-escaping), meaning the user input is not escaped.

CVE-2020-35305: GOLLUM.COM may be available for sale or other proposals

Cross site scripting (XSS) in gollum 5.0 to 5.1.2 via the filename parameter to the 'New Page' dialog.

CVE-2020-35261: poc-dump/MultiRestaurantReservationSystem/1.0 at main · yunaranyancat/poc-dump

Cross Site Scripting (XSS) vulnerability in sourcecodester Multi Restaurant Table Reservation System 1.0 via the Restaurant Name field to /dashboard/profile.php.

CVE-2022-30244: Product Security

Honeywell Alerton Ascent Control Module (ACM) through 2022-05-04 allows unauthenticated programming writes from remote users. This enables code to be store on the controller and then run without verification. A user with malicious intent can send a crafted packet to change and/or stop the program without the knowledge of other users, altering the controller's function. After the programming change, the program needs to be overwritten in order for the controller to restore its original operational function.

CVE-2022-32118: School Management System with Source Code

Arox School ERP Pro v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the dispatchcategory parameter in backoffice.inc.php.