Description
Cross-site scripting (XSS) vulnerability in framework/source/resource/qx/test/jsonp_primitive.php in QooxDoo 1.3 and possibly other versions, as used in eyeOS 2.2 and 2.3, and possibly other products allows remote attackers to inject arbitrary web script or HTML via the callback parameter.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.3
References
- GHSA-pchf-755w-jj6v
- exchange.xforce.ibmcloud.com
- www.exploit-db.com
- web.archive.org
- CVE-2011-1714
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Reflected XSS from the callback handler's error query parameter - CVE-2021-32702
- jQuery vulnerable to Cross-Site Scripting (XSS) - CVE-2011-4969
- Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries - CVE-2026-32728
- Nuxt OG Image is vulnerable to reflected XSS via query parameter injection into HTML attributes - CVE-2026-34405
You might also like:
- Tags:
- npm
- qooxdoo
Anything's wrong? Let us know Last updated on January 19, 2024


