CVE-2021-24176

The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard...

Cross site scripting

Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users Contributor to inject arbitrary JavaScript code or HTML without approval. This could lead to privilege escalation...

Path traversal

The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard...

CVE-2020-4792

IBM Edge 4.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 189441...

WordPress JH 404 Logger 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. The platform supports the hosting of personal blog sites on PHP and MySQL servers. WordPress plugin is a WordPress open source application plugin. JH 404 Logger WordPress plugin through 1.1 has a...

CVE-2021-1748

A validation issue was addressed with improved input sanitization. This issue is fixed in tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4. Processing a maliciously crafted URL may lead to arbitrary javascript code execution...

CVE-2021-1748

A validation issue was addressed with improved input sanitization. This issue is fixed in tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4. Processing a maliciously crafted URL may lead to arbitrary javascript code execution...

IBM Jazz Foundation Cross-Site Scripting Vulnerability (CNVD-2021-31962)

IBM Jazz Foundation is a next-generation collaboration platform for software delivery technology from International Business Machines Corporation IBM. IBM Jazz Foundation suffers from a cross-site scripting vulnerability that allows a user to embed arbitrary JavaScript code in the Web UI, which c...

Cross-site Scripting (XSS)

github.com/microcosm-cc/bluemonday is vulnerable to cross-site scripting XSS. An attacker is able to bypass the validation of the script string to inject and execute arbitrary Javascript in a user's browser...

CVE-2021-22886

Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting XSS using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app...

CVE-2021-22886

Rocket.Chat before 3.11, 3.10.5, 3.9.7, 3.8.8 is vulnerable to persistent cross-site scripting XSS using nested markdown tags allowing a remote attacker to inject arbitrary JavaScript in a message. This flaw leads to arbitrary file read and RCE on Rocket.Chat desktop app...

MyBB 未授权RCE漏洞（CVE-2021-27889 CVE-2021-27890）

MyBB Remote Code Execution Chain BY SIMON SCANNELL & CARL SMITH Today SonarSource is pleased to share with you a guest contribution to our Code Security blog series. The following blog post is authored by Simon Scannell and Carl Smith -two independent security researchers- joining us in sharing...

CVE-2021-24136

Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location ...

Cross site scripting

Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting XSS vulnerabilities allowing low-privileged users Contributor+ to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Pan...

Cross site scripting

Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location ...

CVE-2021-24136 Testimonials Widget < 4.0.0 - Multiple Authenticated Stored XSS

Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location ...

Cross-Site Scripting (XSS)

keycloak-theme is vulnerable to cross-site scripting XSS. An attacker is able to inject and execute arbitrary Javascript in a user's browser via the referrer URL in the new account console...

Code injection

In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected...

Eclipse Theia 跨站脚本漏洞

Eclipse Theia is the Eclipse Foundation's set of Visual Studio Code-based open source integrated development environment for desktop and Web applications framework. A cross-site scripting vulnerability exists in Eclipse Theia 1.8.0 and prior versions, which stems from the absence of HTML escaping...

CVE-2020-13959

The default error page for VelocityView in Apache Velocity Tools prior to 3.1 reflects back the vm file that was entered as part of the URL. An attacker can set an XSS payload file as this vm file in the URL which results in this payload being executed. XSS vulnerabilities allow attackers to...