CVE-2021-23358

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized...

OpenEMR 5.0.2 < 6.0.0.1 Multiple XSS Vulnerabilities

OpenEMR is prone to multiple cross-site scripting XSS vulnerabilities. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

OpenEMR Cross-Site Scripting Vulnerability (CNVD-2021-22942)

OpenEMR is a medical practice management software that also supports electronic medical records EMR. A stored cross-site scripting vulnerability exists in OpenEMR versions 5.0.2 - 6.0.0. The vulnerability stems from not properly validating user input. An attacker can exploit the vulnerability to...

CVE-2021-25917

In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting XSS due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user...

Integer overflow

An integer overflow flaw was found in libtiff that exists in the tifgetimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability...

CVE-2020-28502

An arbitrary code injection vulnerability was found in nodejs-xmlhttprequest. For this vulnerability to occur, the connection must be initialized during the function call XMLHttpRequest.open to send requests synchronously using the parameter async=False. If the subsequent calls to xhr.send...

CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

CVE-2020-28502

The CVE-2020-28502 issue affects the Node.js packages xmlhttprequest (pre-1.7.0) and xmlhttprequest-ssl (any version). Root cause: inputs sent via xhr.send when requests are synchronous (async=false) can be manipulated to inject and execute arbitrary code, due to how data flows into xhr.send. Pub...

CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

Arbitrary Code Injection

Overview xmlhttprequest is a wrapper for the built-in http client to emulate the browser XMLHttpRequest object. Affected versions of this package are vulnerable to Arbitrary Code Injection. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.sen...

PT-2021-7457

Name of the Vulnerable Software and Affected Versions: underscore versions 1.3.2 through 1.12.1 underscore versions 1.13.0-0 through 1.13.0-2 Description: The issue is related to the template function in the underscore library, which is used for working with arrays in JavaScript. It is caused by...

Cross site scripting

Stored cross-site scripting XSS in form field in robust.systems product Custom Global Variables v 1.0.5 allows a remote attacker to inject arbitrary code via the vars0name field...

Cross site scripting

Reflected cross-site scripting vulnerability XSS in the evoadm.php file in b2evolution cms version 6.11.6-stable allows remote attackers to inject arbitrary webscript or HTML code via the tab3 parameter...

BDTASK Multi-Store Inventory Management System Cross-Site Scripting Vulnerability

BDTASK Multi-Store Inventory Management System is a multi-store inventory management system from BDTASK Bangladesh. A security vulnerability exists in BDTASK Multi-Store Inventory Management System version 1.0, which originates from a customer name field that fails to properly filter special...

CVE-2021-20357

CVE-2021-20357 affects IBM Jazz Foundation products with a cross-site scripting vulnerability in the Web UI that could allow an attacker to embed arbitrary JavaScript and, in a trusted session, potentially disclose credentials. Connected sources corroborate a Web UI XSS across multiple IBM Jazz/F...

Cross site scripting

Stored XSS vulnerability in BDTASK Multi-Store Inventory Management System 1.0 allows a local admin to inject arbitrary code via the Customer Name Field...

CVE-2020-35582

A stored cross-site scripting XSS issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/post.php request with the posttitle parameter...

CVE-2020-35581

A stored cross-site scripting XSS issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the metatitle parameter...

Arbitrary Code Injection Over HTTP Traffic (CVE-2020-21176; CVE-2020-25042; CVE-2020-26248; CVE-2020-26712; CVE-2020-28994; CVE-2020-29284; CVE-2020-6308; CVE-2021-25912)

Arbitrary Code Injections Over HTTP Traffic...