Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-pjpc-87mp-4332: Cross-site Scripting vulnerability in Mautic's tracking pixel functionality

### Impact Mautic allows you to track open rates by using tracking pixels. The tracking information is stored together with extra metadata of the tracking request. The output isn't sufficiently filtered when showing the metadata of the tracking information, which may lead to a vulnerable situation. ### Patches Please upgrade to 4.3.0 ### Workarounds None. ### References * Internally tracked under MST-38 ### For more information If you have any questions or comments about this advisory: * Email us at [security@mautic.org](mailto:security@mautic.org)

ghsa
Open in Source
#xss#vulnerability
CVE-2022-29252: XWIKI-19292: Fix bad escaping · xwiki/xwiki-platform@27f8391

XWiki Platform Wiki UI Main Wiki is a package for managing subwikis. Starting with version 5.3-milestone-2, XWiki Platform Wiki UI Main Wiki contains a possible cross-site scripting vector in the `WikiManager.JoinWiki ` wiki page related to the "requestJoin" field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `WikiManager.JoinWiki` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory.

CVE-2022-29251: [XWIKI-19294] XSS in the Flamingo theme manager

XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-based skin. Starting with versions 6.2.4 and 6.3-rc-1, a possible cross-site scripting vector is present in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the "newThemeName" form field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `FlamingoThemesCode.WebHomeSheet` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory.

GHSA-jfxf-4frr-9j3q: XSS in various backend modules due to (un)escaping in JS notification module

The notification module displaying flash messages unscapes HTML coming from the server, resulting in XSS vulnerabilities with various names and labels of entities (eg. workspace title or media title). This however means you must be a logged in user with respective rights in the first place to leverage the attack vector.

CVE-2022-29408: WordPress Advanced Contact form 7 DB plugin <= 1.8.7 - Persistent Cross-Site Scripting (XSS) vulnerability - Patchstack

Persistent Cross-Site Scripting (XSS) vulnerability in Vsourz Digital's Advanced Contact form 7 DB plugin <= 1.8.7 at WordPress.

CVE-2021-32989

When a non-existent resource is requested, the LCDS LAquis SCADA application (version 4.3.1.1011 and prior) returns error messages which may allow reflected cross-site scripting.

CVE-2022-29380: Offensive Security’s Exploit Database Archive

Academy-LMS v4.3 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the SEO panel.

CVE-2022-29405: Archiva Documentation – Release Notes for Archiva 2.2.8

In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8

CVE-2022-29710: Fixed issue: [security] Minor XSS issue in plugin overview - reported… · LimeSurvey/LimeSurvey@f7b3561

A cross-site scripting (XSS) vulnerability in uploadConfirm.php of LimeSurvey v5.3.9 and below allows attackers to execute arbitrary web scripts or HTML via a crafted plugin.

CVE-2022-29362: There is XSS vulnerability that can be able to obtain sensitive user information in the foreground · Issue #457 · SeriaWei/ZKEACMS

A cross-site scripting (XSS) vulnerability in /navigation/create?ParentID=%23 of ZKEACMS v3.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ParentID parameter.