Common Weakness Enumeration

CWE-83

Allowed

Improper Neutralization of Script in Attributes in a Web Page

Abstraction: Variant · Status: Draft

The product does not neutralize or incorrectly neutralizes "javascript:" or other URIs from dangerous attributes within tags, such as onmouseover, onload, onerror, or style.

40 vulnerabilities reference this CWE, most recent first.

CVE-2022-39262 (GCVE-0-2022-39262)

Vulnerability from cvelistv5 – Published: 2022-11-03 00:00 – Updated: 2025-04-22 16:08
VLAI
Title
Stored Cross-Site Scripting (XSS) on login page in GLPI
Summary
GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package, GLPI administrator can define rich-text content to be displayed on login page. The displayed content is can contains malicious code that can be used to steal credentials. This issue has been patched, please upgrade to version 10.0.4.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-83 - Improper Neutralization of Script in Attributes in a Web Page
Assigner
Impacted products
Vendor Product Version
glpi-project glpi Affected: < 10.0.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:00:43.670Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-4x48-q2wr-cpg4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/54fc907e-6983-4c24-b249-1440aac1643c/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-39262",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:43:12.650738Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T16:08:55.858Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glpi",
          "vendor": "glpi-project",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 10.0.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package, GLPI administrator can define rich-text content to be displayed on login page. The displayed content is can contains malicious code that can be used to steal credentials. This issue has been patched, please upgrade to version 10.0.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-83",
              "description": "CWE-83: Improper Neutralization of Script in Attributes in a Web Page",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-03T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-4x48-q2wr-cpg4"
        },
        {
          "url": "https://huntr.dev/bounties/54fc907e-6983-4c24-b249-1440aac1643c/"
        }
      ],
      "source": {
        "advisory": "GHSA-4x48-q2wr-cpg4",
        "discovery": "UNKNOWN"
      },
      "title": "Stored Cross-Site Scripting (XSS) on login page in GLPI"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-39262",
    "datePublished": "2022-11-03T00:00:00.000Z",
    "dateReserved": "2022-09-02T00:00:00.000Z",
    "dateUpdated": "2025-04-22T16:08:55.858Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-14525 (GCVE-0-2020-14525)

Vulnerability from cvelistv5 – Published: 2020-09-18 17:48 – Updated: 2025-06-04 21:12
VLAI
Title
Philips Clinical Collaboration Platform Improper Neutralization of Script in Attributes in a Web Page
Summary
Philips Clinical Collaboration Platform, Versions 12.2.1 and prior, does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users.
CWE
Assigner
Impacted products
Vendor Product Version
Philips Clinical Collaboration Platform Affected: 0 , < 12.2.1 (custom)
Create a notification for this product.
Credits
Northridge Hospital Medical Center reported these vulnerabilities to Philips.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:46:34.796Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Clinical Collaboration Platform",
          "vendor": "Philips",
          "versions": [
            {
              "lessThan": "12.2.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Northridge Hospital Medical Center reported these vulnerabilities to Philips."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePhilips Clinical Collaboration Platform, Versions 12.2.1 and prior, does not neutralize or incorrectly neutralizes user-controllable input \nbefore it is placed in output used as a webpage that is served to other \nusers.\n\n\u003c/p\u003e"
            }
          ],
          "value": "Philips Clinical Collaboration Platform, Versions 12.2.1 and prior, does not neutralize or incorrectly neutralizes user-controllable input \nbefore it is placed in output used as a webpage that is served to other \nusers."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-83",
              "description": "CWE-83",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T21:12:52.643Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01"
        },
        {
          "url": "https://www.philips.com/a-w/security/security-advisories/product-security-2020.html#2020_archive"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePhilips released the Clinical Collaboration Platform patch 12.2.1.5 \nin June 2020 for web portals to remediate CVE-2020-14525.\u003c/p\u003e\n\u003cp\u003ePhilips Clinical Collaboration Platform Version 12.2.5 was released \nin May 2020 to remediate CVE-2020-14525.\u003c/p\u003e\u003cp\u003eUsers with questions regarding their specific Philips Clinical \nCollaboration Platform installations and new release eligibility should \ncontact \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.usa.philips.com/healthcare/solutions/customer-service-solutions\"\u003ePhilips service support, or regional service support\u003c/a\u003e, or call 1-877-328-2808, option 4.\u003c/p\u003e\u003cp\u003eThe Philips advisory and the latest security information for Philips products are available at the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.philips.com/productsecurity\"\u003ePhilips product security website\u003c/a\u003e.\n\n\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Philips released the Clinical Collaboration Platform patch 12.2.1.5 \nin June 2020 for web portals to remediate CVE-2020-14525.\n\n\nPhilips Clinical Collaboration Platform Version 12.2.5 was released \nin May 2020 to remediate CVE-2020-14525.\n\nUsers with questions regarding their specific Philips Clinical \nCollaboration Platform installations and new release eligibility should \ncontact  Philips service support, or regional service support https://www.usa.philips.com/healthcare/solutions/customer-service-solutions , or call 1-877-328-2808, option 4.\n\nThe Philips advisory and the latest security information for Philips products are available at the  Philips product security website https://www.philips.com/productsecurity ."
        }
      ],
      "source": {
        "advisory": "ICSMA-20-261-01",
        "discovery": "EXTERNAL"
      },
      "title": "Philips Clinical Collaboration Platform Improper Neutralization of Script in Attributes in a Web Page",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2020-14506",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Philips Clinical Collaboration Platform",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Versions 12.2.1 and prior"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CROSS-SITE REQUEST FORGERY (CSRF) CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01",
              "refsource": "MISC",
              "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2020-14525",
    "datePublished": "2020-09-18T17:48:30.000Z",
    "dateReserved": "2020-06-19T00:00:00.000Z",
    "dateUpdated": "2025-06-04T21:12:52.643Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-229F-X33G-7VX4

Vulnerability from github – Published: 2025-03-24 18:31 – Updated: 2025-03-24 18:31
VLAI
Details

Improper Neutralization of Script in Attributes in a Web Page vulnerability in Forcepoint Email Security (Blocked Messages module) allows Stored XSS. This issue affects Email Security through 8.5.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-83"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-24T16:15:32Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Script in Attributes in a Web Page vulnerability in Forcepoint Email Security (Blocked Messages module) allows Stored XSS.\nThis issue affects Email Security through 8.5.5.",
  "id": "GHSA-229f-x33g-7vx4",
  "modified": "2025-03-24T18:31:02Z",
  "published": "2025-03-24T18:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9103"
    },
    {
      "type": "WEB",
      "url": "https://support.forcepoint.com/s/article/Security-Advisory-Email-Security-Gateway-Persistent-XSS-in-Blocked-Messages"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-37WM-H7XG-Q6W9

Vulnerability from github – Published: 2024-02-22 15:30 – Updated: 2024-08-29 21:31
VLAI
Details

An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme. This vulnerability affects Firefox for iOS < 123.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-83"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-22T15:15:08Z",
    "severity": "HIGH"
  },
  "details": "An attacker could have executed unauthorized scripts on top origin sites using a JavaScript URI when opening an external URL with a custom Firefox scheme. This vulnerability affects Firefox for iOS \u003c 123.",
  "id": "GHSA-37wm-h7xg-q6w9",
  "modified": "2024-08-29T21:31:01Z",
  "published": "2024-02-22T15:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26283"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1850158"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2024-08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-52MM-H59V-F3C7

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-18 14:47
VLAI
Summary
earmark: Stored XSS via unescaped HTML attribute values
Details

Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values.

'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes: [" ", name, "=\"", value, "\""]. Text nodes are routed through the existing escape function which encodes " as ", but attribute values never visit that path. A markdown link whose URL or title contains a bare " closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, click.

The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx.

This issue affects earmark from 1.4.1 onward.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "earmark"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.1"
            },
            {
              "last_affected": "1.5.0-pre1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48591"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-83"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:47:16Z",
    "nvd_published_at": "2026-06-17T18:18:04Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values.\n\n\u0027Elixir.Earmark.Transform\u0027:_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal \" bytes: [\" \", name, \"=\\\"\", value, \"\\\"\"]. Text nodes are routed through the existing escape function which encodes \" as \u0026quot;, but attribute values never visit that path. A markdown link whose URL or title contains a bare \" closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x\" onerror=\"alert(1)) renders as \u003ca href=\"http://example.com/?a=x\" onerror=\"alert(1)\"\u003eclick\u003c/a\u003e, executing arbitrary JavaScript in the victim\u0027s browser.\n\nThe earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx.\n\nThis issue affects earmark from 1.4.1 onward.",
  "id": "GHSA-52mm-h59v-f3c7",
  "modified": "2026-06-18T14:47:16Z",
  "published": "2026-06-17T18:35:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48591"
    },
    {
      "type": "WEB",
      "url": "https://cna.erlef.org/cves/CVE-2026-48591.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pragdave/earmark"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/EEF-CVE-2026-48591"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "earmark: Stored XSS via unescaped HTML attribute values"
}

GHSA-5JFW-GQ64-Q45F

Vulnerability from github – Published: 2024-11-19 21:07 – Updated: 2025-01-14 16:37
VLAI
Summary
HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through
Details

Impact

The HTML Parser in lxml does not properly handle context-switching for special HTML tags such as <svg>, <math> and <noscript>. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content.

Patches

Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue.

Workarounds

As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability: * remove_tags: Specify tags to remove - their content is moved to their parents' tags. * kill_tags: Specify tags to be removed completely. * allow_tags: Restrict the set of permissible tags, excluding context-switching tags like <svg>, <math> and <noscript>.

References

  • https://github.com/fedora-python/lxml_html_clean/pull/19
  • https://github.com/fedora-python/lxml_html_clean/pull/19/commits/c5d816f86eb3707d72a8ecf5f3823e0daa1b3808
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "lxml-html-clean"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-79",
      "CWE-83"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-19T21:07:59Z",
    "nvd_published_at": "2024-11-19T22:15:21Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `\u003csvg\u003e`, `\u003cmath\u003e` and `\u003cnoscript\u003e`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content.\n\n### Patches\n\nUsers employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue.\n\n### Workarounds\n\nAs a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability:\n* `remove_tags`: Specify tags to remove - their content is moved to their parents\u0027 tags.\n* `kill_tags`: Specify tags to be removed completely.\n* `allow_tags`: Restrict the set of permissible tags, excluding context-switching tags like `\u003csvg\u003e`, `\u003cmath\u003e` and `\u003cnoscript\u003e`.\n\n### References\n\n* https://github.com/fedora-python/lxml_html_clean/pull/19\n* https://github.com/fedora-python/lxml_html_clean/pull/19/commits/c5d816f86eb3707d72a8ecf5f3823e0daa1b3808\n",
  "id": "GHSA-5jfw-gq64-q45f",
  "modified": "2025-01-14T16:37:30Z",
  "published": "2024-11-19T21:07:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-5jfw-gq64-q45f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52595"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedora-python/lxml_html_clean/pull/19"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fedora-python/lxml_html_clean/commit/c5d816f86eb3707d72a8ecf5f3823e0daa1b3808"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fedora-python/lxml_html_clean"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lxml-html-clean/PYSEC-2024-160.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through"
}

GHSA-663W-2XP3-5739

Vulnerability from github – Published: 2023-10-25 21:02 – Updated: 2023-11-01 06:06
VLAI
Summary
org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability
Details

Impact

The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid attribute names. This can be exploited, e.g., via the link syntax in any content that supports XWiki syntax like comments in XWiki:

[[Link1>>https://XWiki.example.com||/onmouseover="alert('XSS1')"]]

When a user moves the mouse over this link, the malicious JavaScript code is executed in the context of the user session. When this user is a privileged user who has programming rights, this allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance.

While this attribute was correctly recognized as not allowed, the attribute was still printed with a prefix data-xwiki-translated-attribute- without further cleaning or validation.

Note that while versions below 14.6 are not vulnerable to this particular vulnerability, they are still vulnerable to XSS through attributes in XWiki syntax, see the corresponding advisory.

Patches

This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by removing characters not allowed in data attributes and then validating the cleaned attribute again.

Workarounds

There are no known workarounds apart from upgrading to a version including the fix.

References

  • https://jira.xwiki.org/browse/XRENDERING-697
  • https://github.com/xwiki/xwiki-rendering/commit/f4d5acac451dccaf276e69f0b49b72221eef5d2f

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at XWiki Security mailing-list

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.6-rc-1"
            },
            {
              "fixed": "14.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-37908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-83",
      "CWE-86"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-25T21:02:49Z",
    "nvd_published_at": "2023-10-25T18:17:28Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThe cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid attribute names. This can be exploited, e.g., via the link syntax in any content that supports XWiki syntax like comments in XWiki: \n\n```\n[[Link1\u003e\u003ehttps://XWiki.example.com||/onmouseover=\"alert(\u0027XSS1\u0027)\"]]\n```\n\nWhen a user moves the mouse over this link, the malicious JavaScript code is executed in the context of the user session. When this user is a privileged user who has programming rights, this allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance.\n\nWhile this attribute was correctly recognized as not allowed, the attribute was still printed with a prefix `data-xwiki-translated-attribute-` without further cleaning or validation.\n\nNote that while versions below 14.6 are not vulnerable to this particular vulnerability, they are still vulnerable to XSS through attributes in XWiki syntax, see [the corresponding advisory](https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp).\n\n### Patches\nThis problem has been patched in XWiki 14.10.4 and 15.0 RC1 by removing characters not allowed in data attributes and then validating the cleaned attribute again.\n\n### Workarounds\nThere are no known workarounds apart from upgrading to a version including the fix.\n\n### References\n* https://jira.xwiki.org/browse/XRENDERING-697\n* https://github.com/xwiki/xwiki-rendering/commit/f4d5acac451dccaf276e69f0b49b72221eef5d2f\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki](https://jira.xwiki.org/)\n* Email us at [XWiki Security mailing-list](mailto:security@xwiki.org)\n",
  "id": "GHSA-663w-2xp3-5739",
  "modified": "2023-11-01T06:06:17Z",
  "published": "2023-10-25T21:02:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-663w-2xp3-5739"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37908"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/commit/f4d5acac451dccaf276e69f0b49b72221eef5d2f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-rendering"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XRENDERING-697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability"
}

GHSA-6GF5-C898-7RXP

Vulnerability from github – Published: 2023-05-11 20:37 – Updated: 2023-05-11 20:37
VLAI
Summary
Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
Details

Impact

HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax.

Patches

This has been patched in XWiki 14.6 RC1.

Workarounds

There are no known workarounds apart from upgrading to a fixed version.

References

  • https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1
  • https://jira.xwiki.org/browse/XRENDERING-663

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-syntax-xhtml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.6-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-core-rendering-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.0-milestone-2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-syntax-html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.6-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-syntax-html5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.6-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-syntax-annotatedxhtml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.6-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-syntax-annotatedhtml5"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.6-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-annotation-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.6-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-83"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-11T20:37:30Z",
    "nvd_published_at": "2023-05-10T18:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nHTML rendering didn\u0027t check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax.\n\n### Patches\nThis has been patched in XWiki 14.6 RC1.\n\n### Workarounds\nThere are no known workarounds apart from upgrading to a fixed version.\n\n### References\n* https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1\n* https://jira.xwiki.org/browse/XRENDERING-663\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
  "id": "GHSA-6gf5-c898-7rxp",
  "modified": "2023-05-11T20:37:30Z",
  "published": "2023-05-11T20:37:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-6gf5-c898-7rxp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32070"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-rendering"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XRENDERING-663"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers"
}

GHSA-6XCG-6Q43-RJ2V

Vulnerability from github – Published: 2026-06-16 21:31 – Updated: 2026-06-18 20:13
VLAI
Summary
Duplicate Advisory: Exported session HTML could keep unsafe markdown links
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-w9hf-3pp7-pvxv. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2026.5.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-83"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T20:13:59Z",
    "nvd_published_at": "2026-06-16T19:17:00Z",
    "severity": "LOW"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of\u00a0GHSA-w9hf-3pp7-pvxv. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link.",
  "id": "GHSA-6xcg-6q43-rj2v",
  "modified": "2026-06-18T20:13:59Z",
  "published": "2026-06-16T21:31:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9hf-3pp7-pvxv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53841"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-cross-site-scripting-via-unsafe-markdown-links-in-exported-session-html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: Exported session HTML could keep unsafe markdown links",
  "withdrawn": "2026-06-18T20:13:59Z"
}

GHSA-779W-7MCF-PVXF

Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2025-06-05 00:31
VLAI
Details

Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14525"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-83"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-18T18:15:00Z",
    "severity": "LOW"
  },
  "details": "Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users.",
  "id": "GHSA-779w-7mcf-pvxf",
  "modified": "2025-06-05T00:31:18Z",
  "published": "2022-05-24T17:28:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14525"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsma-20-261-01"
    },
    {
      "type": "WEB",
      "url": "https://www.philips.com/a-w/security/security-advisories/product-security-2020.html#2020_archive"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.

Mitigation MIT-30.1
Implementation

Strategy: Output Encoding

  • Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
  • The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
Implementation

With Struts, write all data from form beans with the bean's filter attribute set to true.

Mitigation MIT-31
Implementation

Strategy: Attack Surface Reduction

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

CAPEC-243: XSS Targeting HTML Attributes

An adversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities.

CAPEC-244: XSS Targeting URI Placeholders

An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link.

CAPEC-588: DOM-Based XSS

This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser. Content served by a vulnerable web application includes script code used to manipulate the Document Object Model (DOM). This script code either does not properly validate input, or does not perform proper output encoding, thus creating an opportunity for an adversary to inject a malicious script launch a XSS attack. A key distinction between other XSS attacks and DOM-based attacks is that in other XSS attacks, the malicious script runs when the vulnerable web page is initially loaded, while a DOM-based attack executes sometime after the page loads. Another distinction of DOM-based attacks is that in some cases, the malicious script is never sent to the vulnerable web server at all. An attack like this is guaranteed to bypass any server-side filtering attempts to protect users.