CVEbaza.plSłownik CWECWE-84
Common Weakness Enumeration

CWE-84

Improper Neutralization of Encoded URI Schemes in a Web Page

Kategoria: VariantCVE: 18
Opis

Aplikacja internetowa nieprawidłowo neutralizuje dane kontrolowane przez użytkownika dla wykonywalnego skryptu zamaskowanego kodowaniem URI. Może to prowadzić do wykonania niezatwierdzonych operacji lub kodu przez atakującego.

Description (EN)

The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.

Podatności CVE z CWE-84 (18)
8.6
CVSS
HIGH
CVE-2025-58444

The MCP inspector is a developer tool for testing and debugging MCP servers. A cross-site scripting issue was reported in versions of the MCP Inspector local development tool prior to 0.16.6 when connecting to untrusted remote MCP servers with a malicious redirect URI. This could be leveraged to interact directly with the inspector proxy to trigger arbitrary command execution. Users are advised to update to 0.16.6 to resolve this issue.

pub. 2025-09-08
8.3
CVSS
HIGH
CVE-2022-40181

A vulnerability has been identified in Desigo PXM30-1 (All versions < V02.20.126.11-41), Desigo PXM30.E (All versions < V02.20.126.11-41), Desigo PXM40-1 (All versions < V02.20.126.11-41), Desigo PXM40.E (All versions < V02.20.126.11-41), Desigo PXM50-1 (All versions < V02.20.126.11-41), Desigo PXM50.E (All versions < V02.20.126.11-41), PXG3.W100-1 (All versions < V02.20.126.11-37), PXG3.W100-2 (All versions < V02.20.126.11-41), PXG3.W200-1 (All versions < V02.20.126.11-37), PXG3.W200-2 (All versions < V02.20.126.11-41). The device embedded browser does not prevent interaction with alternative URI schemes when redirected to corresponding resources by web application code. By setting the homepage URI, the favorite URIs, or redirecting embedded browser users via JavaScript code to alternative scheme resources, a remote low privileged attacker can perform a range of attacks against the device, such as read arbitrary files on the filesystem, execute arbitrary JavaScript code in order to steal or manipulate the information on the screen, or trigger denial of service conditions.

pub. 2022-10-11
6.8
CVSS
MEDIUM
CVE-2023-25571

Backstage is an open platform for building developer portals. `@backstage/catalog-model` prior to version 1.2.0, `@backstage/core-components` prior to 0.12.4, and `@backstage/plugin-catalog-backend` prior to 1.7.2 are affected by a cross-site scripting vulnerability. This vulnerability allows a malicious actor with access to add or modify content in an instance of the Backstage software catalog to inject script URLs in the entities stored in the catalog. If users of the catalog then click on said URLs, that can lead to an XSS attack. This vulnerability has been patched in both the frontend and backend implementations. The default `Link` component from `@backstage/core-components` version 1.2.0 and greater will now reject `javascript:` URLs, and there is a global override of `window.open` to do the same. In addition, the catalog model v0.12.4 and greater as well as the catalog backend v1.7.2 and greater now has additional validation built in that prevents `javascript:` URLs in known annotations. As a workaround, the general practice of limiting access to modifying catalog content and requiring code reviews greatly help mitigate this vulnerability.

pub. 2023-02-14
6.3
CVSS
MEDIUM
CVE-2024-45045

Collabora Online is a collaborative online office suite based on LibreOffice technology. In the mobile (Android/iOS) device variants of Collabora Online it was possible to inject JavaScript via url encoded values in links contained in documents. Since the Android JavaScript interface allows access to internal functions, the likelihood that the app could be compromised via this vulnerability is considered high. Non-mobile variants are not affected. Mobile variants should update to the latest version provided by the platform appstore. There are no known workarounds for this vulnerability.

pub. 2024-08-29
6.1
CVSS
MEDIUM
CVE-2024-52890

IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.03 could be susceptible to cross-site scripting due to no validation of URIs.

pub. 2025-08-05
6.1
CVSS
MEDIUM
CVE-2021-3824

OpenVPN Access Server 2.9.0 through 2.9.4 allow remote attackers to inject arbitrary web script or HTML via the web login page URL.

pub. 2021-09-23
6.1
CVSS
MEDIUM
CVE-2020-7011

Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacker is able to control the contents of such a field, they could execute arbitrary JavaScript in the victim�s web browser.

pub. 2020-06-03
5.5
CVSS
MEDIUM
CVE-2025-25323

An issue in Qianjin Network Information Technology (Shanghai) Co., Ltd 51Job iOS 14.22.0 allows attackers to access sensitive user information via supplying a crafted link.

pub. 2025-02-27
5.5
CVSS
MEDIUM
CVE-2025-25324

An issue in Shandong Provincial Big Data Center AiShanDong iOS 5.0.0 allows attackers to access sensitive user information via supplying a crafted link.

pub. 2025-02-27
5.5
CVSS
MEDIUM
CVE-2025-25325

An issue in Yibin Fengguan Network Technology Co., Ltd YuPao DirectHire iOS 8.8.0 allows attackers to access sensitive user information via supplying a crafted link.

pub. 2025-02-27
5.5
CVSS
MEDIUM
CVE-2025-25326

An issue in Merchants Union Consumer Finance Company Limited Merchants Union Finance iOS 6.19.0 allows attackers to access sensitive user information via supplying a crafted link.

pub. 2025-02-27
5.5
CVSS
MEDIUM
CVE-2025-25329

An issue in Tencent Technology (Beijing) Company Limited Tencent MicroVision iOS 8.137.0 allows attackers to access sensitive user information via supplying a crafted link.

pub. 2025-02-27
5.5
CVSS
MEDIUM
CVE-2025-25330

An issue in Boohee Technology Boohee Health iOS 13.0.13 allows attackers to access sensitive user information via supplying a crafted link.

pub. 2025-02-27
5.5
CVSS
MEDIUM
CVE-2025-25331

An issue in Beitatong Technology LianJia iOS 9.83.50 allows attackers to access sensitive user information via supplying a crafted link.

pub. 2025-02-27
5.5
CVSS
MEDIUM
CVE-2025-25334

An issue in Suning Commerce Group Suning EMall iOS 9.5.198 allows attackers to access sensitive user information via supplying a crafted link.

pub. 2025-02-27
4.8
CVSS
MEDIUM
CVE-2025-30203

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Tuleap allows cross-site scripting (XSS) via the content of RSS feeds in the RSS widgets. A project administrator or someone with control over an used RSS feed could use this vulnerability to force victims to execute uncontrolled code. This vulnerability is fixed in Tuleap Community Edition 16.5.99.1742562878 and Tuleap Enterprise Edition 16.5-5 and 16.4-8.

pub. 2025-03-31
4.1
CVSS
MEDIUM
CVE-2023-30959

In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.

pub. 2023-09-27
2.5
CVSS
LOW
CVE-2024-42184

BigFix Patch Download Plug-ins are affected by insecure support for file URI scheme. It could allow a malicious operator to attempt to download files using the file:// URI scheme.

pub. 2025-01-23
Informacje
ID: CWE-84
Typ: Variant
Podatności: 18
MITRE CWE ↗
← Słownik CWE