CVE-2022-21649
- EPSS 0.37%
- Veröffentlicht 04.01.2022 21:15:07
- Zuletzt bearbeitet 21.11.2024 06:45:09
Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create an <a> tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "<" or ">" but esca...
CVE-2022-21650
- EPSS 0.37%
- Veröffentlicht 04.01.2022 21:15:07
- Zuletzt bearbeitet 21.11.2024 06:45:09
Convos is an open source multi-user chat that runs in a web browser. You can't use SVG extension in Convos' chat window, but you can upload a file with an .html extension. By uploading an SVG file with an html extension the upload filter can be bypas...
CVE-2021-42584
- EPSS 0.26%
- Veröffentlicht 17.12.2021 14:15:07
- Zuletzt bearbeitet 21.11.2024 06:27:51
A Stored Cross Site Scripting (XSS) issue exists in Convos-Chat before 6.32.
CVE-2020-14423
- EPSS 0.3%
- Veröffentlicht 18.06.2020 14:15:11
- Zuletzt bearbeitet 21.11.2024 05:03:13
Convos before 4.20 does not properly generate a random secret in Core/Settings.pm and Util.pm. This leads to a predictable CONVOS_LOCAL_SECRET value, affecting password resets and invitations.