Cross site scripting

An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37wplimporttemplate admin-post action which will execute in an administrator's browser if the template is used to create a page...

Cross site scripting

Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wpajaxcf7dpsavesettings AJAX action and the uitheme parameter. If an administrator creat...

Cross site scripting

Stored XSS in the IMPress for IDX Broker WordPress plugin before 2.6.2 allows authenticated attackers with minimal subscriber-level permissions to save arbitrary JavaScript in the plugin's settings panel via the idxupdaterecaptchakey AJAX action and a crafted idxrecaptchasitekey parameter, which...

CVE-2020-11516

Stored XSS in the Contact Form 7 Datepicker plugin through 2.6.0 for WordPress allows authenticated attackers with minimal permissions to save arbitrary JavaScript to the plugin's settings via the unprotected wpajaxcf7dpsavesettings AJAX action and the uitheme parameter. If an administrator creat...

CVE-2020-4303

IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2020-3884

An injection issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.4. A remote attacker may be able to cause arbitrary javascript code execution...

Cross-Site Scripting (XSS)

squid is vulnerasble to cross-site scripting XSS. A remote attacker is able to inject and execute arbitrary Javascript in a user's browser via the username or auth parameter in cachemgr.cgi...

CVE-2020-9055 Versiant Lynx Customer Service Portal version 3.5.2 is vulnerable to stored cross-site scripting, which may allow an attacker to execute arbitrary JavaScript

Versiant LYNX Customer Service Portal CSP, version 3.5.2, is vulnerable to stored cross-site scripting, which could allow a local, authenticated attacker to insert malicious JavaScript that is stored and displayed to the end user. This could lead to website redirects, session cookie hijacking, or...

Cross-Site Scripting

Overview Versions of htmr prior to 0.8.7 are vulnerable to Cross-Site Scripting XSS. The package uses innerHTML to unescape HTML entities. This may lead to DOM-based XSS through HTML-encoded XSS payloads. This may allow an attacker to execute arbitrary JavaScript in a victim's browser...

Apple macOS Catalina Mail component xss vulnerability

Apple macOS Catalina is a specialized operating system developed by Apple Inc. for Mac computers. A security vulnerability exists in the Mail component of Apple macOS Catalina versions prior to 10.15.4. A remote attacker can exploit this vulnerability to execute arbitrary JavaScript code...

Apple Mac OS X Security Update (HT211100 - 04)

Apple Mac OS X is prone to multiple vulnerabilities. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Cross-site Scripting (XSS)

resteasy-jaxrs is vulnerable to cross-site scripting XSS. The vulnerability exists due to the lack of sanitization of the value of strVal, allowing RESTEASY003870 exceptions be used to execute arbitrary Javascript in a user's browser...

CVE-2019-4718

IBM Jazz for Service Management 3.13 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 172123...

Security Bulletin: IBM Jazz for Service Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI ( CVE-2019-4717)

Summary IBM Jazz for Service Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI CVE-2019-4717 Vulnerability Details CVEID: CVE-2019-4717 DESCRIPTION: IBM Jazz for Service Management is vulnerable to cross-site...

Cross-site Scripting (XSS)

actionview is vulnerable to cross-site scripting XSS. Inadequate sanitization and escaping of special characters such as dollar signs and backticks allows an attacker to inject and execute arbitrary Javascript in a user's browser via the j or javascriptescape helper...

Custom Post Type UI < 1.7.4 - CSRF to Stored XSS

The Custom Post Type UI WordPress plugin was vulnerable to Cross-Site Request Forgery CSRF and Stored Cross-Site Scripting XSS within the "Import Post Types" functionality in the "Tools" tab. This functionality allows users to import "Post Types" from other websites, or from backup, as JSON. This...

CVE-2020-10196

An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several o...

Cross site scripting

An XSS vulnerability in the popup-builder plugin before 3.64.1 for WordPress allows remote attackers to inject arbitrary JavaScript into existing popups via an unsecured ajax action in com/classes/Ajax.php. It is possible for an unauthenticated attacker to insert malicious JavaScript in several o...

CVE-2020-10196

CVE-2020-10196 affects the WordPress plugin Popup Builder (versions before 3.64.1). A stored XSS flaw exists in an unsecured AJAX action (com/classes/Ajax.php) where an unauthenticated attacker can POST to wp-admin/admin-ajax.php with action sgpb_autosave and an allPopupData payload (including th...

CVE-2020-9371

Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabcappointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or HTML...