In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 (with Python 3.9.5+), URLValidator does not prohibit newlines and tabs (unless the URLField form field is used). If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffected because HttpResponse prohibits newlines in HTTP headers.
Mozilla Firefox before 3.6 is vulnerable to XSS via the rendering of Cascading Style Sheets
A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks.
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 allows user-assisted remote attackers to inject arbitrary web script or HTML via a selection that is added to a document in which the designMode property is enabled.
Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 do not properly restrict use of the type attribute of an OBJECT element to set a document's charset, which allows remote attackers to bypass cross-site scripting (XSS) protection mechanisms via UTF-7 encoding.
The XPCSafeJSObjectWrapper class in the SafeJSObjectWrapper (aka SJOW) implementation in Mozilla Firefox before 3.5.12, Thunderbird before 3.0.7, and SeaMonkey before 2.0.7 does not properly restrict scripted functions, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via a crafted function.
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash Monit before 5.25.3 allows a remote unauthenticated attacker to introduce arbitrary JavaScript via manipulation of an unsanitized user field of the Authorization header for HTTP Basic Authentication, which is mishandled during an _viewlog operation.
Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in the Dialog widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title option.
Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 creates a clickable link for a (1) javascript: or (2) data: URI in the URL (aka bug_file_loc) field, which allows remote attackers to conduct cross-site scripting (XSS) attacks against logged-out users via a crafted URI.
A compromised sandboxed content process can perform a Universal Cross-site Scripting (UXSS) attack on content from any site it can cause to be loaded in the same process. Because addons.mozilla.org and accounts.firefox.com have close ties to the Firefox product, malicious manipulation of these sites within the browser can potentially be used to modify a user's Firefox configuration. These two sites will now be isolated into their own process and not allowed to be loaded in a standard content process. This vulnerability affects Firefox < 69.
Some HTML elements, such as <title> and <textarea>, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to .innerHTML on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements. This vulnerability affects Firefox < 69, Thunderbird < 68.1, Thunderbird < 60.9, Firefox ESR < 60.9, and Firefox ESR < 68.1.
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to uploader/assets/uploader.swf.
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.8.0 through 2.8.1, as used in Bugzilla 3.7.1 through 3.7.3 and 4.1, allows remote attackers to inject arbitrary web script or HTML via vectors related to swfstore/swfstore.swf.
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to charts/assets/charts.swf.
Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 does not properly handle whitespace preceding a (1) javascript: or (2) data: URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the URL (aka bug_file_loc) field.
Cross-site scripting (XSS) vulnerability in the duplicate-detection functionality in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the summary field, related to the DataTable widget in YUI.
Cross-site scripting (XSS) vulnerability in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the real name field of a user account, related to the AutoComplete widget in YUI.
Multiple cross-site scripting (XSS) vulnerabilities in the rendering engine in Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey before 2.0.11, allow remote attackers to inject arbitrary web script or HTML via (1) x-mac-arabic, (2) x-mac-farsi, or (3) x-mac-hebrew characters that may be converted to angle brackets during rendering.
In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.
Multiple cross-site scripting (XSS) vulnerabilities in the Gopher parser in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, and SeaMonkey before 2.0.9, allow remote attackers to inject arbitrary web script or HTML via a crafted name of a (1) file or (2) directory on a Gopher server.
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, and Adobe AIR before 2.0.2.12610, when Firefox or Chrome is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to URL parsing.
Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and SeaMonkey before 2.0.5, does not properly handle situations in which both "Content-Disposition: attachment" and "Content-Type: multipart" are present in HTTP headers, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an uploaded HTML document.
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePost On`.
The Live Bookmarks page and the PDF viewer can run injected script content if a user pastes script from the clipboard into them while viewing RSS feeds or PDF files. This could allow a malicious site to socially engineer a user to copy and paste malicious script content that could then run with the context of either page but does not allow for privilege escalation. This vulnerability affects Firefox < 60.
Firefox adds web-compatibility shims in place of some tracking scripts blocked by Enhanced Tracking Protection. On a site protected by Content Security Policy in "strict-dynamic" mode, an attacker able to inject an HTML element could have used a DOM Clobbering attack on some of the shims and achieved XSS, bypassing the CSP strict-dynamic protection. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.
The contextual menu for links could provide an opportunity for cross-site scripting attacks This vulnerability affects Firefox for iOS < 129.
Long pressing on a download link could potentially provide a means for cross-site scripting This vulnerability affects Firefox for iOS < 129.
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade.
Cross-site Scripting (XSS) - Reflected in GitHub repository splitbrain/dokuwiki prior to 2022-07-31a.
An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through 1.35.x before 1.35.2. On ChangesList special pages such as Special:RecentChanges and Special:Watchlist, some of the rcfilters-filter-* label messages are output in HTML unescaped, leading to XSS.
JavaScript in the "about:webrtc" page is not sanitized properly being assigned to "innerHTML". Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting (XSS) attack. This vulnerability affects Firefox < 55.
Cross-site scripting (XSS) vulnerability in a note component in Cybozu Garoon before 3.7.0, when Internet Explorer or Firefox is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted "protected" comment (with the cke_protected syntax).
Insufficient policy enforcement in Blink in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
In Mozilla Bleach before 3.11, a mutation XSS affects users calling bleach.clean with noscript and a raw tag in the allowed/whitelisted tags option.
Insufficient policy enforcement in extensions in Google Chrome prior to 80.0.3987.87 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension.
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Mozilla's add-ons SDK had a world-accessible resource with an HTML injection vulnerability. If an additional vulnerability allowed this resource to be loaded as a document it could allow injecting content and script into an add-on's context. This vulnerability affects Firefox < 50.1.
JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripting (self-XSS) attacks if users were convinced to add malicious tags to bookmarks, export them, and then open the resulting file. This vulnerability affects Firefox < 57.
Mozilla Firefox before 47.0 allows remote attackers to bypass the Same Origin Policy and modify the location.host property via an invalid data: URL.
intl/uconv/util/nsUnicodeDecodeHelper.cpp in Mozilla Firefox before 3.6.7 and Thunderbird before 3.1.1 inserts a U+FFFD sequence into text in certain circumstances involving undefined positions, which might make it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted 8-bit text.
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
Insufficient policy enforcement in Omnibox in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name.
Incorrect security UI in interstitials in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
Incorrect security UI in Omnibox in Google Chrome on iOS prior to 79.0.3945.79 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.
The XMLDocument::load function in Mozilla Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 does not perform the expected nsIContentPolicy checks during loading of content by XML documents, which allows attackers to bypass intended access restrictions via crafted content.
Incorrect security UI in external protocol handling in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to spoof security UI via a crafted HTML page.
A malicious page can briefly cause the wrong name to be highlighted as the domain name in the addressbar during page navigations. This could result in user confusion of which site is currently loaded for spoofing attacks. This vulnerability affects Firefox < 67.
The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion. This vulnerability affects Firefox < 68.