Duplicate Advisory: Code injection in Directus

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9qrm-48qf-r2rw. This link is maintained to preserve external references. Original Description Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is...

CVE-2024-6533

Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with...

CVE-2024-6533

Directus 10.13.0 is affected by a DOM-based XSS flaw where an authenticated attacker can inject and store an attacker-controlled value that is rendered into an unsanitized DOM element on the client. The issue stems from how a parameter is stored on the server and later used by the client, enablin...

CVE-2024-43368 Trix has a Cross-Site Scripting (XSS) vulnerability on copy & paste

The Trix editor, versions prior to 2.1.4, is vulnerable to XSS when pasting malicious code. This vulnerability is a bypass of the fix put in place for GHSA-qjqp-xr96-cj99. In pull request 1149, sanitation was added for Trix attachments with a text/html content type. However, Trix only checks the...

CVE-2024-39400

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by a DOM-based Cross-Site Scripting XSS vulnerability. This vulnerability could allow an admin attacker to inject and execute arbitrary JavaScript code within the context of the user's browser session...

CVE-2024-41774

IBM Common Licensing 9.0 is affected by CVE-2024-41774: stored cross-site scripting in the Web UI (LKS Administration Reporting Tool/Agent) that could allow a privileged user to inject JavaScript and potentially disclose credentials. Remediation: apply IBM_Common_Licensing_ICL_9.0.0.1 / update to...

CVE-2024-33536

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading...

Zimbra Collaboration Server 安全漏洞

Zimbra Collaboration Server ZCS is an email and collaboration solution from Zimbra. The solution provides email, contacts, calendar, file sharing, social networking, and other features. A security vulnerability exists in Zimbra Collaboration Server versions 9.0 and 10.0, which stems from the...

CVE-2024-27443

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0. A Cross-Site Scripting XSS vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this v...

Cross Site Scripting (XSS)

openwebui is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to the language model executing arbitrary JavaScript as a result of a maliciously crafted prompt...

Open WebUI Stored Cross-Site Scripting Vulnerability

Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page...

CVE-2024-6892

Attackers can craft a malicious link that once clicked will execute arbitrary JavaScript in the context of the Journyx web application...

CVE-2024-6892 Journyx Reflected Cross Site Scripting

Attackers can craft a malicious link that once clicked will execute arbitrary JavaScript in the context of the Journyx web application...

CVE-2024-6706

Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page...

CVE-2024-6706

Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page...

CVE-2024-6706

Open WebUI stores Cross-Site Scripting (XSS) vulnerability CVE-2024-6706 in version 0.1.105 on Debian 12. The issue arises when a malicious prompt coerces the language model into executing arbitrary JavaScript in the context of the web page. Connected advisories (KL-001-2024-005; GHSA-5JP3-WP5V-5...

CVE-2024-41676

Magento-lts is a long-term support alternative to Magento Community Edition CE. This XSS vulnerability affects the design/header/welcome, design/header/logosrc, design/header/logosrcsmall, and design/header/logoalt system configs.They are intended to enable admins to set a text in the two cases,...

CVE-2024-41676

Magento LTS (OpenMage Magento-lts) is affected by an XSS in system config fields design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt due to missing escaping. The issue allows input of arbitrary HTML/JavaScript and is mitigated by upgrading to ve...

CVE-2024-41676 Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs

Magento-lts is a long-term support alternative to Magento Community Edition CE. This XSS vulnerability affects the design/header/welcome, design/header/logosrc, design/header/logosrcsmall, and design/header/logoalt system configs.They are intended to enable admins to set a text in the two cases,...

CVE-2024-6881

Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session...