CWE-80
AllowedImproper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
936 vulnerabilities reference this CWE, most recent first.
GHSA-Q74R-4XW3-PPX9
Vulnerability from github – Published: 2021-04-19 14:49 – Updated: 2021-04-16 23:15Missing variable sanitization in Grid component in com.vaadin:vaadin-server versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector.
- https://vaadin.com/security/cve-2019-25028
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin-bom"
},
"ranges": [
{
"events": [
{
"introduced": "7.4.0"
},
{
"fixed": "7.7.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin-bom"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin-server"
},
"ranges": [
{
"events": [
{
"introduced": "7.4.0"
},
{
"fixed": "7.7.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.vaadin:vaadin-server"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.8.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-25028"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2021-04-16T23:15:34Z",
"nvd_published_at": "2021-04-23T16:15:00Z",
"severity": "MODERATE"
},
"details": "Missing variable sanitization in `Grid` component in `com.vaadin:vaadin-server` versions 7.4.0 through 7.7.19 (Vaadin 7.4.0 through 7.7.19), and 8.0.0 through 8.8.4 (Vaadin 8.0.0 through 8.8.4) allows attacker to inject malicious JavaScript via unspecified vector.\n\n- https://vaadin.com/security/cve-2019-25028",
"id": "GHSA-q74r-4xw3-ppx9",
"modified": "2021-04-16T23:15:34Z",
"published": "2021-04-19T14:49:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vaadin/framework/security/advisories/GHSA-q74r-4xw3-ppx9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25028"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/framework/pull/11644"
},
{
"type": "WEB",
"url": "https://github.com/vaadin/framework/pull/11645"
},
{
"type": "WEB",
"url": "https://vaadin.com/security/cve-2019-25028"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Stored cross-site scripting in Grid component in Vaadin 7 and 8"
}
GHSA-Q898-FRWQ-F3QP
Vulnerability from github – Published: 2024-10-04 18:51 – Updated: 2024-11-13 16:25Summary
The HtmlGenerator class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD.
Context
Minecraft server owners can set a so-called MOTD (Message of the Day) for their server that appears next to the server icon and below the server name on the multiplayer server list of a player's Minecraft client. The Minecraft server sends the MOTD in the description property of the Status Response packet. The jgniecki/MinecraftMotdParser PHP library is able to parse the value of the description property, which can be either a string or an array of text components. By utilizing the aforementioned HtmlGenerator class, it is also able to transform the value into an HTML string that can be used to visualize the MOTD on a web page.
Details
The HtmlGenerator iterates through objects of MotdItem that are contained in an object of MotdItemCollection to generate a HTML string. An attacker can make malicious inputs to the color and text properties of MotdItem to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the HtmlGenerator.
This XSS vulnerability exists because the values of these properties are neither filtered nor escaped, as can be seen here: - https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49 - https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80
Proof of Concept
JavaScript code can be injected into the HtmlGenerator by parsing either a string via TextParser or an array via ArrayParser. The following code examples demonstrate the vulnerability by triggering the alert dialog of the browser.
XSS via TextParser
<?php
use DevLancer\MinecraftMotdParser\Collection\MotdItemCollection;
use DevLancer\MinecraftMotdParser\Generator\HtmlGenerator;
use DevLancer\MinecraftMotdParser\Parser\TextParser;
$motdCollection = (new TextParser())->parse('<script>alert("XSS on page load")</script>', new MotdItemCollection());
echo (new HtmlGenerator())->generate($motdCollection);
XSS via ArrayParser
<?php
use DevLancer\MinecraftMotdParser\Collection\MotdItemCollection;
use DevLancer\MinecraftMotdParser\Generator\HtmlGenerator;
use DevLancer\MinecraftMotdParser\Parser\ArrayParser;
$motdCollection = (new ArrayParser())->parse([
[
'color' => '#" onmouseover="javascript:alert(\'XSS when mouse pointer enters the span element\')"',
'text' => 'Hover me',
],
[
'color' => '#000000',
'text' => '<script>alert("XSS on page load")</script>',
]
], new MotdItemCollection());
echo (new HtmlGenerator())->generate($motdCollection);
Impact
If the HtmlGenerator class of this library is used, this XSS vulnerability can potentially affect:
- Players visiting Minecraft server list websites (of which there are several dozen online, written in PHP) that display the MOTD.
- Users visiting Minecraft server status websites to query information about a Minecraft server.
- Server owners managing their Minecraft server via a web interface that displays the MOTD, where the attack could be carried out by a malicious Minecraft server plugin that modifies the MOTD without the server owner's consent.
It is not clear if and which platforms depend on this library.
Remediation
I suggest converting all HTML special characters in the values of the color and text properties to HTML entities. The display of the HTML entities will still be correct in the browser, but the XSS vulnerability will be eliminated as the values will no longer be interpreted as HTML by the browser.
This could be achieved by introducing a new private escape function in the HtmlGenerator class:
private function escape(string $text): string
{
return htmlentities($text, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}
This function should be called in the following two lines:
- https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49
Change to: $tags['span'][] = sprintf('color: %s;', $this->escape($motdItem->getColor()));
- https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80
Change to: $value = sprintf($value, $this->escape($motdItem->getText()));
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.5"
},
"package": {
"ecosystem": "Packagist",
"name": "dev-lancer/minecraft-motd-parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-47765"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": true,
"github_reviewed_at": "2024-10-04T18:51:35Z",
"nvd_published_at": "2024-10-04T15:15:13Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe `HtmlGenerator` class is subject to potential cross-site scripting (XSS) attack through a parsed malformed Minecraft server MOTD.\n\n### Context\nMinecraft server owners can set a so-called MOTD (Message of the Day) for their server that appears next to the server icon and below the server name on the multiplayer server list of a player\u0027s Minecraft client. The Minecraft server sends the MOTD in the `description` property of the [Status Response](https://wiki.vg/Server_List_Ping#Status_Response) packet. The [jgniecki/MinecraftMotdParser](https://github.com/jgniecki/MinecraftMotdParser) PHP library is able to parse the value of the `description` property, which can be either a string or an array of text components. By utilizing the aforementioned `HtmlGenerator` class, it is also able to transform the value into an HTML string that can be used to visualize the MOTD on a web page.\n\n### Details\nThe `HtmlGenerator` iterates through objects of `MotdItem` that are contained in an object of `MotdItemCollection` to generate a HTML string. An attacker can make malicious inputs to the `color` and `text` properties of `MotdItem` to inject own HTML into a web page during web page generation. For example by sending a malicious MOTD from a Minecraft server under their control that was queried and passed to the `HtmlGenerator`.\n\nThis XSS vulnerability exists because the values of these properties are neither filtered nor escaped, as can be seen here:\n- https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49\n- https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80\n\n### Proof of Concept\nJavaScript code can be injected into the `HtmlGenerator` by parsing either a string via `TextParser` or an array via `ArrayParser`. The following code examples demonstrate the vulnerability by triggering the alert dialog of the browser.\n\n#### XSS via `TextParser`\n```php\n\u003c?php\n\nuse DevLancer\\MinecraftMotdParser\\Collection\\MotdItemCollection;\nuse DevLancer\\MinecraftMotdParser\\Generator\\HtmlGenerator;\nuse DevLancer\\MinecraftMotdParser\\Parser\\TextParser;\n\n$motdCollection = (new TextParser())-\u003eparse(\u0027\u003cscript\u003ealert(\"XSS on page load\")\u003c/script\u003e\u0027, new MotdItemCollection());\n\necho (new HtmlGenerator())-\u003egenerate($motdCollection);\n```\n\n#### XSS via `ArrayParser`\n```php\n\u003c?php\n\nuse DevLancer\\MinecraftMotdParser\\Collection\\MotdItemCollection;\nuse DevLancer\\MinecraftMotdParser\\Generator\\HtmlGenerator;\nuse DevLancer\\MinecraftMotdParser\\Parser\\ArrayParser;\n\n$motdCollection = (new ArrayParser())-\u003eparse([\n [\n \u0027color\u0027 =\u003e \u0027#\" onmouseover=\"javascript:alert(\\\u0027XSS when mouse pointer enters the span element\\\u0027)\"\u0027,\n \u0027text\u0027 =\u003e \u0027Hover me\u0027,\n ],\n [\n \u0027color\u0027 =\u003e \u0027#000000\u0027,\n \u0027text\u0027 =\u003e \u0027\u003cscript\u003ealert(\"XSS on page load\")\u003c/script\u003e\u0027,\n ]\n], new MotdItemCollection());\n\necho (new HtmlGenerator())-\u003egenerate($motdCollection);\n```\n\n### Impact\nIf the `HtmlGenerator` class of this library is used, this XSS vulnerability can potentially affect:\n- Players visiting Minecraft server list websites (of which there are several dozen online, written in PHP) that display the MOTD.\n- Users visiting Minecraft server status websites to query information about a Minecraft server.\n- Server owners managing their Minecraft server via a web interface that displays the MOTD, where the attack could be carried out by a malicious Minecraft server plugin that modifies the MOTD without the server owner\u0027s consent.\n\nIt is not clear if and which platforms depend on this library.\n\n### Remediation\nI suggest converting all HTML special characters in the values of the `color` and `text` properties to HTML entities. The display of the HTML entities will still be correct in the browser, but the XSS vulnerability will be eliminated as the values will no longer be interpreted as HTML by the browser.\n\nThis could be achieved by introducing a new private `escape` function in the `HtmlGenerator` class:\n```php\nprivate function escape(string $text): string\n{\n return htmlentities($text, ENT_QUOTES | ENT_HTML5, \u0027UTF-8\u0027);\n}\n```\n\nThis function should be called in the following two lines:\n- https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49\nChange to: `$tags[\u0027span\u0027][] = sprintf(\u0027color: %s;\u0027, $this-\u003eescape($motdItem-\u003egetColor()));`\n- https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80\nChange to: `$value = sprintf($value, $this-\u003eescape($motdItem-\u003egetText()));`",
"id": "GHSA-q898-frwq-f3qp",
"modified": "2024-11-13T16:25:58Z",
"published": "2024-10-04T18:51:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jgniecki/MinecraftMotdParser/security/advisories/GHSA-q898-frwq-f3qp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47765"
},
{
"type": "WEB",
"url": "https://github.com/jgniecki/MinecraftMotdParser/commit/b0ab9d68a964cd3d74977f39a9e7af0a94509f7c"
},
{
"type": "PACKAGE",
"url": "https://github.com/jgniecki/MinecraftMotdParser"
},
{
"type": "WEB",
"url": "https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L49"
},
{
"type": "WEB",
"url": "https://github.com/jgniecki/MinecraftMotdParser/blob/0412f68eeb91729a00444a8d6c00c45623884aa5/src/Generator/HtmlGenerator.php#L80"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Minecraft MOTD Parser\u0027s HtmlGenerator vulnerable to XSS"
}
GHSA-QF98-J8R3-W7WV
Vulnerability from github – Published: 2025-11-18 09:30 – Updated: 2025-11-18 09:30The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page.
{
"affected": [],
"aliases": [
"CVE-2025-11267"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T08:15:50Z",
"severity": "MODERATE"
},
"details": "The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027_veu_custom_css\u0027 parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page.",
"id": "GHSA-qf98-j8r3-w7wv",
"modified": "2025-11-18T09:30:51Z",
"published": "2025-11-18T09:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11267"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/admin/class-veu-metabox.php#L178"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/vk-all-in-one-expansion-unit/tags/9.112.0.1/inc/css-customize/css-customize-single.php#L32"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3393317%40vk-all-in-one-expansion-unit%2Ftrunk\u0026old=3385606%40vk-all-in-one-expansion-unit%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8996a0f0-8a49-4310-917b-62172c12afdb?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QFH3-92RR-375X
Vulnerability from github – Published: 2024-10-23 18:33 – Updated: 2024-10-23 18:33A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page.
{
"affected": [],
"aliases": [
"CVE-2024-20382"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-23T18:15:06Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page.",
"id": "GHSA-qfh3-92rr-375x",
"modified": "2024-10-23T18:33:09Z",
"published": "2024-10-23T18:33:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20382"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-xss-yjj7ZjVq"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QGV9-W22C-FHGV
Vulnerability from github – Published: 2026-07-15 15:33 – Updated: 2026-07-15 15:33A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.2.0 through 7.2.6, FortiSIEM 7.1 all versions, FortiSIEM 7.0 all versions, FortiSIEM 6.7 all versions, FortiSIEM 6.6 all versions, FortiSIEM 6.5 all versions, FortiSIEM 6.4 all versions may allow attacker to execute unauthorized code or commands via
{
"affected": [],
"aliases": [
"CVE-2026-59838"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-15T14:18:33Z",
"severity": "MODERATE"
},
"details": "A improper neutralization of script-related html tags in a web page (basic xss) vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.2.0 through 7.2.6, FortiSIEM 7.1 all versions, FortiSIEM 7.0 all versions, FortiSIEM 6.7 all versions, FortiSIEM 6.6 all versions, FortiSIEM 6.5 all versions, FortiSIEM 6.4 all versions may allow attacker to execute unauthorized code or commands via \u003cinsert attack vector here\u003e",
"id": "GHSA-qgv9-w22c-fhgv",
"modified": "2026-07-15T15:33:06Z",
"published": "2026-07-15T15:33:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59838"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-149"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QH4R-RFFH-PRR5
Vulnerability from github – Published: 2025-03-17 18:31 – Updated: 2025-03-19 21:30Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in /pages/room.php via the id and rome parameters.
{
"affected": [],
"aliases": [
"CVE-2025-29430"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-17T18:15:22Z",
"severity": "MODERATE"
},
"details": "Code-projects Online Class and Exam Scheduling System V1.0 is vulnerable to Cross Site Scripting (XSS) in /pages/room.php via the id and rome parameters.",
"id": "GHSA-qh4r-rffh-prr5",
"modified": "2025-03-19T21:30:50Z",
"published": "2025-03-17T18:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29430"
},
{
"type": "WEB",
"url": "https://github.com/872323857/CVE/blob/main/Online%20Class%20and%20Exam%20Scheduling%20System-room.php.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QHQC-H6CG-HX9P
Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2024-04-04 01:16Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3.
{
"affected": [],
"aliases": [
"CVE-2019-1010018"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-16T13:15:00Z",
"severity": "MODERATE"
},
"details": "Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3.",
"id": "GHSA-qhqc-h6cg-hx9p",
"modified": "2024-04-04T01:16:45Z",
"published": "2022-05-24T16:50:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010018"
},
{
"type": "WEB",
"url": "https://github.com/zammad/zammad/issues/1869"
},
{
"type": "WEB",
"url": "https://github.com/zammad/zammad/compare/5c983f6...1a9af7d"
},
{
"type": "WEB",
"url": "https://github.com/zammad/zammad/compare/ea50d0c...238784d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QHX7-FH26-RX4J
Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30A vulnerability classified as problematic has been found in playSMS up to 1.4.7. Affected is an unknown function of the file /index.php?app=main&inc=feature_schedule&op=list of the component SMS Schedule Handler. The manipulation of the argument name/message leads to basic cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.4.8 is able to address this issue. The name of the patch is 7a88920f6b536c6a91512e739bcb4e8adefeed2b. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-267912. NOTE: The code maintainer was contacted early about this disclosure and was eager to prepare a fix as quickly as possible.
{
"affected": [],
"aliases": [
"CVE-2024-5851"
],
"database_specific": {
"cwe_ids": [
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T18:15:14Z",
"severity": "MODERATE"
},
"details": "A vulnerability classified as problematic has been found in playSMS up to 1.4.7. Affected is an unknown function of the file /index.php?app=main\u0026inc=feature_schedule\u0026op=list of the component SMS Schedule Handler. The manipulation of the argument name/message leads to basic cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.4.8 is able to address this issue. The name of the patch is 7a88920f6b536c6a91512e739bcb4e8adefeed2b. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-267912. NOTE: The code maintainer was contacted early about this disclosure and was eager to prepare a fix as quickly as possible.",
"id": "GHSA-qhx7-fh26-rx4j",
"modified": "2024-06-11T18:30:50Z",
"published": "2024-06-11T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5851"
},
{
"type": "WEB",
"url": "https://github.com/playsms/playsms/commit/7a88920f6b536c6a91512e739bcb4e8adefeed2b"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.267912"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.267912"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.347385"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QMPM-VW3W-FPXQ
Vulnerability from github – Published: 2025-05-16 03:30 – Updated: 2025-05-16 03:30IBM Content Navigator 3.0.11, 3.0.15, and 3.1.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
{
"affected": [],
"aliases": [
"CVE-2024-51475"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-16T01:15:51Z",
"severity": "MODERATE"
},
"details": "IBM Content Navigator 3.0.11, 3.0.15, and 3.1.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim\u0027s Web browser within the security context of the hosting site.",
"id": "GHSA-qmpm-vw3w-fpxq",
"modified": "2025-05-16T03:30:33Z",
"published": "2025-05-16T03:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51475"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7233695"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QP9C-V274-2239
Vulnerability from github – Published: 2024-06-21 18:30 – Updated: 2024-06-21 18:30Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through 2.0.9.
{
"affected": [],
"aliases": [
"CVE-2022-38055"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-21T16:15:10Z",
"severity": "MODERATE"
},
"details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpForo Forum allows Content Spoofing.This issue affects wpForo Forum: from n/a through 2.0.9.",
"id": "GHSA-qp9c-v274-2239",
"modified": "2024-06-21T18:30:59Z",
"published": "2024-06-21T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38055"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/wpforo/wordpress-wpforo-forum-plugin-2-0-9-auth-html-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
Mitigation MIT-30.1
Strategy: Output Encoding
- Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
- The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
With Struts, write all data from form beans with the bean's filter attribute set to true.
Mitigation MIT-31
Strategy: Attack Surface Reduction
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
CAPEC-18: XSS Targeting Non-Script Elements
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack.
CAPEC-193: PHP Remote File Inclusion
In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.
CAPEC-32: XSS Through HTTP Query Strings
An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.
CAPEC-86: XSS Through HTTP Headers
An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.