CWE-80
AllowedImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
936 vulnerabilities reference this CWE, most recent first.
GHSA-CPJ3-3R2F-XJ59
Vulnerability from github – Published: 2026-03-26 18:37 – Updated: 2026-03-27 21:33Impact
OpenBao installations that have an OIDC/JWT authentication method enabled and a role with callback_mode=direct configured are vulnerable to XSS via the error_description parameter on the page for a failed authentication.
This allows an attacker access to the token used in the Web UI by a victim.
Patches
The error_description parameter has been replaced with a static error message in v2.5.2
Workarounds
The vulnerability can be mitigated by removing any roles with callback_mode set to direct.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openbao/openbao"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260325133417-6e2b2dd84f0e"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33758"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T18:37:09Z",
"nvd_published_at": "2026-03-27T15:16:57Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nOpenBao installations that have an OIDC/JWT authentication method enabled and a role with `callback_mode=direct` configured are vulnerable to XSS via the `error_description` parameter on the page for a failed authentication.\n\nThis allows an attacker access to the token used in the Web UI by a victim.\n\n### Patches\nThe `error_description` parameter has been replaced with a static error message in v2.5.2\n\n### Workarounds\nThe vulnerability can be mitigated by removing any roles with `callback_mode` set to `direct`.",
"id": "GHSA-cpj3-3r2f-xj59",
"modified": "2026-03-27T21:33:53Z",
"published": "2026-03-26T18:37:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-cpj3-3r2f-xj59"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33758"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/pull/2709"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/commit/6e2b2dd84f0e47cebc90d6e79609dd5274732662"
},
{
"type": "PACKAGE",
"url": "https://github.com/openbao/openbao"
},
{
"type": "WEB",
"url": "https://github.com/openbao/openbao/releases/tag/v2.5.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "OpenBao has Reflected XSS in its OIDC authentication error message"
}
GHSA-CPP5-H7PC-FP83
Vulnerability from github – Published: 2023-08-01 12:30 – Updated: 2024-04-04 06:28Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30.
{
"affected": [],
"aliases": [
"CVE-2023-23548"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-01T10:15:09Z",
"severity": "MODERATE"
},
"details": "Reflected XSS in business intelligence in Checkmk \u003c2.2.0p8, \u003c2.1.0p32, \u003c2.0.0p38, \u003c=1.6.0p30.",
"id": "GHSA-cpp5-h7pc-fp83",
"modified": "2024-04-04T06:28:09Z",
"published": "2023-08-01T12:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23548"
},
{
"type": "WEB",
"url": "https://checkmk.com/werk/15691"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CQ58-R77C-5JJW
Vulnerability from github – Published: 2021-11-16 17:04 – Updated: 2021-11-16 15:49Impact
Kirby's blocks field stores structured data for each block. This data is then used in block snippets to convert the blocks to HTML for use in your templates. We recommend to escape HTML special characters against cross-site scripting (XSS) attacks.
Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the site frontend or Panel session of other users. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim.
The default snippet for the image block unfortunately did not use our escaping helper. This made it possible to include malicious HTML code in the source, alt and link fields of the image block, which would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site.
This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.
You are not affected if you don't use the blocks field or specifically the image block in any of your blueprints. You are also protected if you use a custom block snippet that either escapes the printed values or doesn't use them. The attack can only be performed by logged-in users and only surfaces in the site frontend (i.e. in your templates). The Panel itself is unaffected and will not execute JavaScript that was injected into the image block content.
Patches
We have patched the vulnerability in Kirby 3.5.8 by escaping special HTML characters in the output from the default image block snippet. Please update to this or a later version to fix the vulnerability.
Credits
Thanks to Azrul Ikhwan Zulkifli (@azrultech) from BAE Systems AI Vulnerability Research Team for responsibly reporting the identified issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "getkirby/cms"
},
"ranges": [
{
"events": [
{
"introduced": "3.5.0"
},
{
"fixed": "3.5.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41258"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-16T15:49:36Z",
"nvd_published_at": "2021-11-16T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nKirby\u0027s [blocks field](https://getkirby.com/docs/reference/panel/fields/blocks) stores structured data for each block. This data is then used in [block snippets](https://getkirby.com/docs/reference/panel/fields/blocks#block-snippets) to convert the blocks to HTML for use in your templates. We recommend to [escape HTML special characters](https://getkirby.com/docs/guide/templates/escaping) against cross-site scripting (XSS) attacks.\n\nCross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the site frontend or Panel session of other users. If the user is logged in to the Panel, a harmful script can for example trigger requests to Kirby\u0027s API with the permissions of the victim.\n\nThe default snippet for the [image block](https://getkirby.com/docs/reference/panel/blocks/image) unfortunately did not use our escaping helper. This made it possible to include malicious HTML code in the source, alt and link fields of the image block, which would then be displayed on the site frontend and executed in the browsers of site visitors and logged in users who are browsing the site.\n\nThis vulnerability is critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to the Panel session of an admin user. Depending on your site, other JavaScript-powered attacks are possible.\n\nYou are *not* affected if you don\u0027t use the blocks field or specifically the image block in any of your blueprints. You are also protected if you use a custom [block snippet](https://getkirby.com/docs/reference/panel/fields/blocks#block-snippets) that either escapes the printed values or doesn\u0027t use them. The attack can only be performed by logged-in users and only surfaces in the site frontend (i.e. in your templates). The Panel itself is unaffected and will not execute JavaScript that was injected into the image block content.\n\n### Patches\n\nWe have patched the vulnerability in [Kirby 3.5.8](https://github.com/getkirby/kirby/releases/tag/3.5.8) by escaping special HTML characters in the output from the default image block snippet. Please update to this or a [later version](https://github.com/getkirby/kirby/releases/) to fix the vulnerability.\n\n### Credits\n\nThanks to Azrul Ikhwan Zulkifli (@azrultech) from BAE Systems AI Vulnerability Research Team for responsibly reporting the identified issue.",
"id": "GHSA-cq58-r77c-5jjw",
"modified": "2021-11-16T15:49:36Z",
"published": "2021-11-16T17:04:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/security/advisories/GHSA-cq58-r77c-5jjw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41258"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/pull/3510"
},
{
"type": "PACKAGE",
"url": "https://github.com/getkirby/kirby"
},
{
"type": "WEB",
"url": "https://github.com/getkirby/kirby/releases/tag/3.5.8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cross-site scripting (XSS) from image block content in the site frontend"
}
GHSA-CRGJ-F248-F5XJ
Vulnerability from github – Published: 2025-03-31 15:30 – Updated: 2026-04-01 18:34Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Cal.com Cal.com allows Stored XSS. This issue affects Cal.com: from n/a through 1.0.0.
{
"affected": [],
"aliases": [
"CVE-2025-31604"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-31T13:15:54Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Cal.com Cal.com allows Stored XSS. This issue affects Cal.com: from n/a through 1.0.0.",
"id": "GHSA-crgj-f248-f5xj",
"modified": "2026-04-01T18:34:17Z",
"published": "2025-03-31T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31604"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/cal-com/vulnerability/wordpress-cal-com-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-CRVM-XJHM-9H29
Vulnerability from github – Published: 2025-11-04 15:42 – Updated: 2025-11-07 16:42Impact
OctoPrint versions up to and including 1.11.3 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notification and prompt popups generated by the printer.
An attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.
Patches
The vulnerability will be patched in version 1.11.4.
Workaround
OctoPrint administrators can mitigate the risk by disabling popups: - for Action Command notifications, uncheck OctoPrint Settings -> Printer Notifications -> Enable popups - for Action Command prompts, set OctoPrint Settings -> Printer Dialogs -> Enable support -> Never
It is also strongly recommended to ensure that files being printed originate from trusted sources, and, whenever possible, are sliced with your own slicer.
Credits
This vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.11.3"
},
"package": {
"ecosystem": "PyPI",
"name": "octoprint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-64187"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-04T15:42:48Z",
"nvd_published_at": "2025-11-07T04:15:47Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nOctoPrint versions up to and including 1.11.3 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notification and prompt popups generated by the printer.\n\nAn attacker who successfully convinces a victim to print a specially crafted file could exploit this issue to disrupt ongoing prints, extract information (including sensitive configuration settings, if the targeted user has the necessary permissions for that), or perform other actions on behalf of the targeted user within the OctoPrint instance.\n\n### Patches\n\nThe vulnerability will be patched in version 1.11.4.\n\n### Workaround\n\nOctoPrint administrators can mitigate the risk by disabling popups:\n- for Action Command notifications, uncheck _OctoPrint Settings -\u003e Printer Notifications -\u003e Enable popups_\n- for Action Command prompts, set _OctoPrint Settings -\u003e Printer Dialogs -\u003e Enable support -\u003e Never_\n\nIt is also strongly recommended to ensure that files being printed originate from trusted sources, and, whenever possible, are sliced with your own slicer.\n\n### Credits\n\nThis vulnerability was discovered and responsibly disclosed to OctoPrint by [Jacopo Tediosi](https://github.com/jacopotediosi).",
"id": "GHSA-crvm-xjhm-9h29",
"modified": "2025-11-07T16:42:35Z",
"published": "2025-11-04T15:42:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-crvm-xjhm-9h29"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64187"
},
{
"type": "WEB",
"url": "https://github.com/OctoPrint/OctoPrint/commit/9112e07b1085f4c1ee9eefc67985809251057a44"
},
{
"type": "PACKAGE",
"url": "https://github.com/OctoPrint/OctoPrint"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OctoPrint vulnerable to XSS in Action Commands Notification and Prompt"
}
GHSA-CV23-Q6GH-XFRF
Vulnerability from github – Published: 2024-06-12 19:40 – Updated: 2024-07-24 15:10Impact
A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.
Patches
diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
index 79411e928e1..25eaa721c54 100644
--- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
+++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
@@ -155,12 +155,16 @@
* but it's not yet supported in Safari.
*/
connectedCallback() {
- let inputs = '';
+ this.innerHTML = '';
+ const inputs = new DocumentFragment();
for( const fieldName of this._fieldNames ) {
- const value = stringifyFalsyInputValue( this.values[ fieldName ] );
- inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`;
+ const input = document.createElement( 'input' );
+ input.type = 'hidden';
+ input.name = `${params.prefix}${fieldName}`;
+ input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' );
+ inputs.appendChild( input );
}
- this.innerHTML = inputs;
+ this.appendChild( inputs );
}
/**
Workarounds
Disabling the Order Attribution feature
References
A8C SIRT: p3btAN-2L2-p2 (internal) Public disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "woocommerce/woocommerce"
},
"ranges": [
{
"events": [
{
"introduced": "8.8.0"
},
{
"fixed": "8.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "woocommerce/woocommerce"
},
"ranges": [
{
"events": [
{
"introduced": "8.9.0"
},
{
"fixed": "8.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-37297"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-12T19:40:16Z",
"nvd_published_at": "2024-06-12T15:15:52Z",
"severity": "MODERATE"
},
"details": "### Impact\nA vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML \u0026 JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content \u0026 data stored in the browser, including the session.\nThe URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.\n\n### Patches\n```diff\ndiff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js\nindex 79411e928e1..25eaa721c54 100644\n--- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js\n+++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js\n@@ -155,12 +155,16 @@\n \t\t * but it\u0027s not yet supported in Safari.\n \t\t */\n \t\tconnectedCallback() {\n-\t\t\tlet inputs = \u0027\u0027;\n+\t\t\tthis.innerHTML = \u0027\u0027;\n+\t\t\tconst inputs = new DocumentFragment();\n \t\t\tfor( const fieldName of this._fieldNames ) {\n-\t\t\t\tconst value = stringifyFalsyInputValue( this.values[ fieldName ] );\n-\t\t\t\tinputs += `\u003cinput type=\"hidden\" name=\"${params.prefix}${fieldName}\" value=\"${value}\"/\u003e`;\n+\t\t\t\tconst input = document.createElement( \u0027input\u0027 );\n+\t\t\t\tinput.type = \u0027hidden\u0027;\n+\t\t\t\tinput.name = `${params.prefix}${fieldName}`;\n+\t\t\t\tinput.value = stringifyFalsyInputValue( ( this.values \u0026\u0026 this.values[ fieldName ] ) || \u0027\u0027 );\n+\t\t\t\tinputs.appendChild( input );\n \t\t\t}\n-\t\t\tthis.innerHTML = inputs;\n+\t\t\tthis.appendChild( inputs );\n \t\t}\n \n \t\t/**\n```\n\n### Workarounds\nDisabling the Order Attribution feature \n\n### References\nA8C SIRT: p3btAN-2L2-p2 (internal)\nPublic disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/\n",
"id": "GHSA-cv23-q6gh-xfrf",
"modified": "2024-07-24T15:10:12Z",
"published": "2024-06-12T19:40:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37297"
},
{
"type": "WEB",
"url": "https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4"
},
{
"type": "WEB",
"url": "https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67"
},
{
"type": "WEB",
"url": "https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0"
},
{
"type": "PACKAGE",
"url": "https://github.com/woocommerce/woocommerce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "WooCommerce has a Cross-Site Scripting (XSS) Vulnerability in checkout \u0026 registration forms"
}
GHSA-CV6R-H2FM-PVRP
Vulnerability from github – Published: 2022-08-24 00:00 – Updated: 2026-07-08 17:32In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.activemq:artemis-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.24.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-35278"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-30T20:48:53Z",
"nvd_published_at": "2022-08-23T15:15:00Z",
"severity": "MODERATE"
},
"details": "In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue.",
"id": "GHSA-cv6r-h2fm-pvrp",
"modified": "2026-07-08T17:32:09Z",
"published": "2022-08-24T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35278"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/bh6y81wtotg75337bpvxcjy436zfgf3n"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221209-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "HTML Injection in ActiveMQ Artemis Web Console"
}
GHSA-CX3J-QQXJ-9597
Vulnerability from github – Published: 2023-08-11 18:57 – Updated: 2023-08-25 18:55Impact
Critters version 0.0.17-0.0.19 have an issue when parsing the HTML which leads to a potential cross-site scripting (XSS) bug.
Patches
The bug has been fixed in v0.0.20.
Workarounds
Upgrading Critters version to >0.0.20 is the easiest fix. This is a non breaking version upgrade so we recommend all users to use v0.0.20.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.0.19"
},
"package": {
"ecosystem": "npm",
"name": "critters"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.17"
},
{
"fixed": "0.0.20"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-3481"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-11T18:57:53Z",
"nvd_published_at": "2023-08-21T11:15:07Z",
"severity": "MODERATE"
},
"details": "### Impact\nCritters version 0.0.17-0.0.19 have an issue when parsing the HTML which leads to a potential [cross-site scripting (XSS)](https://owasp.org/www-community/attacks/xss/) bug.\n\n### Patches\nThe bug has been fixed in `v0.0.20`.\n\n### Workarounds\nUpgrading Critters version to `\u003e0.0.20` is the easiest fix. This is a non breaking version upgrade so we recommend all users to use `v0.0.20`.",
"id": "GHSA-cx3j-qqxj-9597",
"modified": "2023-08-25T18:55:56Z",
"published": "2023-08-11T18:57:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/GoogleChromeLabs/critters/security/advisories/GHSA-cx3j-qqxj-9597"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3481"
},
{
"type": "WEB",
"url": "https://github.com/GoogleChromeLabs/critters/pull/133"
},
{
"type": "WEB",
"url": "https://github.com/GoogleChromeLabs/critters/commit/7757902c9e0b3285d516359b3cb602cd9d50d80e"
},
{
"type": "PACKAGE",
"url": "https://github.com/GoogleChromeLabs/critters"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Critters Cross-site Scripting Vulnerability"
}
GHSA-CXQ5-Q43P-WHJH
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:39A vulnerability has been identified in SIMATIC HMI Comfort Panels 4" - 22" (All versions < V15.1 Update 1), SIMATIC HMI Comfort Outdoor Panels 7" & 15" (All versions < V15.1 Update 1), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 und KTP900F (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Advanced (All versions < V15.1 Update 1), SIMATIC WinCC Runtime Professional (All versions < V15.1 Update 1), SIMATIC WinCC (TIA Portal) (All versions < V15.1 Update 1), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions). The integrated web server could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify particular parts of the device configuration via SNMP. The security vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires system privileges and user interaction. An attacker could use the vulnerability to compromise confidentiality and the integrity of the affected system. At the stage of publishing this security advisory no public exploitation is known.
{
"affected": [],
"aliases": [
"CVE-2019-6577"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-14T20:29:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SIMATIC HMI Comfort Panels 4\" - 22\" (All versions \u003c V15.1 Update 1), SIMATIC HMI Comfort Outdoor Panels 7\" \u0026 15\" (All versions \u003c V15.1 Update 1), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 und KTP900F (All versions \u003c V15.1 Update 1), SIMATIC WinCC Runtime Advanced (All versions \u003c V15.1 Update 1), SIMATIC WinCC Runtime Professional (All versions \u003c V15.1 Update 1), SIMATIC WinCC (TIA Portal) (All versions \u003c V15.1 Update 1), SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) (All versions). The integrated web server could allow Cross-Site Scripting (XSS) attacks if an attacker is able to modify particular parts of the device configuration via SNMP. The security vulnerability could be exploited by an attacker with network access to the affected system. Successful exploitation requires system privileges and user interaction. An attacker could use the vulnerability to compromise confidentiality and the integrity of the affected system. At the stage of publishing this security advisory no public exploitation is known.",
"id": "GHSA-cxq5-q43p-whjh",
"modified": "2024-04-04T00:39:16Z",
"published": "2022-05-24T16:45:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6577"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-804486.pdf"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/ICSA-19-134-09"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108412"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F4C4-G4G8-J6F6
Vulnerability from github – Published: 2024-05-17 09:31 – Updated: 2024-05-17 09:31Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS vulnerability in Bill Minozzi Car Dealer allows Code Injection.This issue affects Car Dealer: from n/a through 4.15.
{
"affected": [],
"aliases": [
"CVE-2024-4214"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T09:15:44Z",
"severity": "LOW"
},
"details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS vulnerability in Bill Minozzi Car Dealer allows Code Injection.This issue affects Car Dealer: from n/a through 4.15.",
"id": "GHSA-f4c4-g4g8-j6f6",
"modified": "2024-05-17T09:31:03Z",
"published": "2024-05-17T09:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4214"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/cardealer/wordpress-cardealer-plugin-4-15-content-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
Mitigation MIT-30.1
Strategy: Output Encoding
- Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
- The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
With Struts, write all data from form beans with the bean's filter attribute set to true.
Mitigation MIT-31
Strategy: Attack Surface Reduction
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
CAPEC-18: XSS Targeting Non-Script Elements
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack.
CAPEC-193: PHP Remote File Inclusion
In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.
CAPEC-32: XSS Through HTTP Query Strings
An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.
CAPEC-86: XSS Through HTTP Headers
An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.