CVE-2024-37900: Xwiki Dom Xss Script Unescaped File Name
DOM-based Cross-Site Scripting (XSS) vulnerability. Unescaped file names are passed to UI rendering or event functions. An attacker can upload a file with a malicious name containing HTML/JS to execute arbitrary code in the context of the victim's session. Always use sanitization (e.g., .escapeHTML()) before rendering file names.
Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0
JS
JSgreprules fetch cve-2024-37900-xwiki-dom-xss-script-unescaped-file-name --engine opengrepDescription
DOM-based Cross-Site Scripting (XSS) vulnerability. Unescaped file names are passed to UI rendering or event functions. An attacker can upload a file with a malicious name containing HTML/JS to execute arbitrary code in the context of the victim's session. Always use sanitization (e.g., .escapeHTML()) before rendering file names.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0