CVE-2024-11390

Kibana is affected by CVE-2024-11390: an Unrestricted Upload of a File with a Dangerous Type can lead to arbitrary JavaScript execution (XSS) in a victim’s browser via crafted HTML/JavaScript files. This requires access to the Synthetics app or write access to synthetics indices. Affected version...

CVE-2024-11390 Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS

Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices...

Elastic Kibana 安全漏洞

Elastic Kibana is an available data visualization dashboard software from Elastic, Inc. A security vulnerability exists in Elastic Kibana versions prior to 8.12.0, which stems from an unrestricted upload of a dangerous type of file and could lead to the execution of arbitrary JavaScript in a...

CVE-2025-45007

A Reflected Cross-Site Scripting XSS vulnerability was discovered in the profile.php file of PHPGurukul Timetable Generator System v1.0. This vulnerability allows remote attackers to execute arbitrary JavaScript code via the adminname POST request parameter...

CVE-2025-45007

CVE-2025-45007 affects PHPGurukul Timetable Generator System v1.0, via the profile.php file. The vulnerability is a reflected Cross-Site Scripting (XSS) where the adminname parameter in a POST request can cause arbitrary JavaScript execution. Impact is consistent with a reflected XSS allowing scr...

YesWiki Stored XSS Vulnerability in Comments

Summary A stored cross-site scripting XSS vulnerability was discovered in the application’s comments feature. This issue allows a malicious actor to inject JavaScript payloads that are stored and later executed in the browser of any user viewing the affected comment. The XSS occurs because the...

104 eHRMS 跨站脚本漏洞

104 eHRMS is a Human Resource Management System from 104 Inc. A cross-site scripting vulnerability exists in 104 eHRMS V202412 and prior versions, which stems from reflective cross-site scripting and could lead to the execution of arbitrary JavaScript code...

BIT-GRAFANA-2025-2703

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript...

CVE-2025-2703

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript...

CVE-2025-2703

CVE-2025-2703 affects Grafana’s built-in XY Chart plugin through a DOM XSS flaw. The advisory text states that a user with Editor permissions can modify a panel to execute arbitrary JavaScript, indicating that the vulnerability stems from client-side script handling in the chart component and cou...

CVE-2025-2703

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript...

CVE-2025-2703

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript...

CVE-2025-29526

The CVE-2025-29526 entry affects Q4 Inc Investor Relations Platform v5.147.1.2, where an unfiltered input in the SearchTerm parameter of the search function enables Cross-Site Scripting (XSS), allowing arbitrary Javascript execution. Affected component: Search feature; root cause: insufficient in...

XSS in Grafana XY Chart Plugin

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability. A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript. This vulnerability first appeared in Grafana v11.1.0, and is fixed in 11.6.0+security-01, 11.5.3+security-01,...

Firefox ESR 115.11 - PDF.js Arbitrary JavaScript execution

Exploit Title: Firefox ESR 115.11 - Arbitrary JavaScript execution in PDF.js Date: 2025-04-16 Exploit Author: Milad Karimi Ex3ptionaL Contact: [email protected] Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL MiRROR-H: https://mirror-h.org/search/hacker/49626/ Vendor Homepage:...

CVE-2025-22465

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required...

CVE-2025-31476

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...

CVE-2025-22465

Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to execute arbitrary javascript in a victim's browser. Unlikely user interaction is required...

CVE-2025-22465

Ivanti Endpoint Manager is affected by CVE-2025-22465 (Reflected XSS) in versions older than 2024 SU1 or older than 2022 SU7. An unauthenticated remote attacker can cause the victim’s browser to execute arbitrary JavaScript. The issue arises from insufficient input handling in the web interface. ...

tarteaucitron.js allows url scheme injection via unfiltered inputs

A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL validation was insufficient, which could allow arbitrary JavaScript...