CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41677 – Cross-site Scripting (XSS) vulnerability due to improper HTML escaping in qwik
https://notcve.org/view.php?id=CVE-2024-41677
Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. • https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208 https://github.com/QwikDev/qwik/commit/7e742eb3a1001542d795776c0317d47df8b9d64e https://github.com/QwikDev/qwik/security/advisories/GHSA-2rwj-7xq8-4gx4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2307 – Cross-Site Request Forgery (CSRF) in builderio/qwik
https://notcve.org/view.php?id=CVE-2023-2307
Cross-Site Request Forgery (CSRF) in GitHub repository builderio/qwik prior to 0.104.0. • https://github.com/BuilderIO/qwik/pull/3862/commits/09190b70027354baf7ad3d208df9c05a87f75f57 https://huntr.dev/bounties/204ea12e-9e5c-4166-bf0e-fd49c8836917 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1283 – Code Injection in builderio/qwik
https://notcve.org/view.php?id=CVE-2023-1283
Code Injection in GitHub repository builderio/qwik prior to 0.21.0. • https://github.com/BuilderIO/qwik/pull/3249/commits/4d9ba6e098ae6e537aa55abb6b8369bb670ffe66 https://huntr.dev/bounties/63f1ff91-48f3-4886-a179-103f1ddd8ff8 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0410 – Cross-site Scripting (XSS) - Generic in builderio/qwik
https://notcve.org/view.php?id=CVE-2023-0410
Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5. Cross-site scripting (XSS) genérico en el repositorio de GitHub builderio/qwik anterior a 0.1.0-beta5. • https://github.com/builderio/qwik/commit/4b2f89dbbd2bc0a2c92eae1a49bdd186e589151a https://huntr.dev/bounties/2da583f0-7f66-4ba7-9bed-8e7229aa578e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •