Vulnerabilities tagged "xss"

This was a really cool XSS filter bypass due to a parsing differential between PHP's multibyte string functions: `mb_strpos` and `mb_substr` when dealing with invalid UTF-8 sequences.

XSS delivered via profile image upload of an SVG containing the XSS.Fairly common situation where SVG support allows XSS because the SVG's scripts are not sanitized but also one we have basically never talked about on the podcast...

Two cross-site scripting vulnerabilities stemming from the handling of clipboard data in Excalidraw and Microsoft Whiteboard. One allows straight forward exploitation, where as the other has a bit of an iframe trick to it.

The title gives this one away, the `header(...)` function in PHP will issue a warning (and keep executing) without adding the header to the response if the header contains a Carriage Return (\r), New-Line (\n) or Null-byte (\x00).That functionality may not be new to you as its purpose is to kill response splitting attacks, but @OctagonNetworks presents a fresh twist on this, probably not the first to have the thought but it was a neat idea to me...

A request that isn't vulnerable until you make it twice.Definitely an interesting edge case that a lot of testing might overlook...

The vulnerability is a Server-Side MIME Sniff issue in the answerdev/answer project (a Q&A platform) that leads to a stored XSS vulnerability. What is really interesting is that the bug primarily only appears when running the application under Docker.

The XSS here is fairly basic, attacker controlled data reflected without sanitization, whats a bit more interesting is the input source, plugin metadata processed by the global Jenkin's Update Center.There is a bit of a process to getting plugins listed in the Update Center, submitted a PR and the first plugin needs to be manually approved, though the authors note that this is mostly a procedural thing...

The vulnerability here isn't too interesting, just a case of user-input being reflected into a header without sanitizing new-lines (CrLf injection). What is interesting is how they leverage this header injection primitive to bypass Akamai's web application firewall.

BBCode XSS chained with an admin panel SQL injection for potential for code execution.

A long chain of issues that leads to XSS in the league of legends (LoL) account subdomain via easyXDM, which is a developer focused JS library that provides an interface for doing cross-origin communication using various protocols.easyXDM consists of a producer-consumer setup, where a producer page exports functions for the consumer page to invoke...