Nextcloud Talk 跨站脚本漏洞

Nextcloud Talk, a self-hosted local audio/video and chat communication service from Germany-based Nextcloud, is vulnerable to a cross-site scripting vulnerability that could be exploited by remote attackers to inject and execute arbitrary HTML and script code in the user's browser within the...

Apache Superset Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability exists in Apache Superset, a data visualization and data exploration platform from the Apache Foundation, U.S. The vulnerability stems from insufficient cleanup of user-supplied data on browser pages. An attacker could exploit the vulnerability to trick victim...

Vmware VMware vCenter Server 跨站脚本漏洞

Vmware VMware vCenter Server is a suite of server and virtualization management software from Vmware, Inc. The software provides a centralized platform for managing VMware vSphere environments, automating the implementation and delivery of virtual infrastructure. vCenter Server is vulnerable to a...

CVE-2021-39199

remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized. This means arbitra...

Six Apart Movable Type Cross-Site Scripting Vulnerability (CNVD-2022-22651)

Six Apart Movable Type MT is a blogging system from Six Apart, Inc. A cross-site scripting vulnerability exists in Six Apart Movable Type, which stems from a lack of validation and escaping of user-supplied data in the search screen, and could be exploited by remote attackers to trick victims int...

Cross site scripting

Cross-site scripting vulnerability in Search screen of Movable Type Movable Type 7 r.4903 and earlier Movable Type 7 Series, Movable Type 6.8.0 and earlier Movable Type 6 Series, Movable Type Advanced 7 r.4903 and earlier Movable Type Advanced 7 Series, Movable Type Premium 1.44 and earlier, and...

CVE-2021-32809 Arbitrary HTML injection vulnerability in ckeditor

ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 Clipboard package. The vulnerability allowed to abuse paste functionality using malformed HTML, which could result in injecting arbitrary HTML into the editor. It...

PT-2021-6524

Name of the Vulnerable Software and Affected Versions CKEditor versions 4.5.2 through 4.16.1 CKEditor 4 plugins with clipboard plugin dependency versions 4.5.2 and later, including: clipboard pastetext pastetools widget uploadwidget autolink tableselection Description The issue is related to...

Per Page Add to Head < 1.4.4 - CSRF to Stored XSS

The plugin is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting feature mentioned by the plugin, this could lead to Stored XSS issue which will b...

Per Page Add to Head < 1.4.4 - CSRF to Stored XSS

The plugin is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting feature mentioned by the plugin, this could lead to Stored XSS issue which will b...

Fortinet FortiSandbox Cross-Site Scripting Vulnerability

Fortinet FortiSandbox is an APT Advanced Persistent Threat protection appliance from Fortinet, Inc. The appliance provides dual sandboxing technology, a dynamic threat intelligence system, a real-time control panel and reporting, etc. The Fortinet FortiSandbox contains a cross-site scripting...

Atlassian JIRA Server 跨站脚本漏洞

Atlassian JIRA Server is the server version of a defect tracking management system from Atlassian Australia. The system is mainly used for tracking and managing various types of issues and defects in work. A cross-site scripting vulnerability exists in Atlassian Jira Server, which can be exploite...

CVE-2021-36130

An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields. The attack could easily propagate acros...

Cross site scripting

An XSS issue was discovered in the SocialProfile extension in MediaWiki through 1.36. Within several gift-related special pages, a privileged user with the awardmanage right could inject arbitrary HTML and JavaScript within various gift-related data fields. The attack could easily propagate acros...

CVE-2021-26079

The CardLayoutConfigTable component in Jira Server and Jira Data Center before version 8.5.15, and from version 8.6.0 before version 8.13.7, and from version 8.14.0 before 8.17.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting XSS vulnerability...

Input validation

Improper input validation in Nagios Fusion 4.1.8 and earlier allows a remote attacker with control over a fused server to inject arbitrary HTML, aka XSS...

XSS in Issue Type /editworkflowscheme.jspa - CVE 2021-26080

Affected versions of Jira Server and Jira Data Center have a XSS vulnerability in the EditWorkflowScheme.jspa component which allows remote attackers to inject arbitrary HTML or JavaScript: Affected versions: version 8.5.14 8.6.0 ≤ version 8.13.6 8.14.0 ≤ version 8.16.1 Fixed versions: 8.5.14...

XSS in Issue Type /editworkflowscheme.jspa - CVE 2021-26080

Affected versions of Jira Server and Jira Data Center have a XSS vulnerability in the EditWorkflowScheme.jspa component which allows remote attackers to inject arbitrary HTML or JavaScript: Affected versions: version 8.5.14 8.6.0 ≤ version 8.13.6 8.14.0 ≤ version 8.16.1 Fixed versions: 8.5.14...

python-lxml: mXSS due to the use of improper parser

A Cross-site Scripting XSS vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The highest threat...

Moodle 跨站脚本漏洞

Moodle is a free, open source e-learning software platform, also known as a course management system, learning management system, or virtual learning environment. A cross-site scripting vulnerability exists in Moodle, which can be exploited to inject and execute arbitrary HTML and script code in ...