Cross-site Scripting (XSS)

shuchkin/simplexlsx is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input handling because the toHTMLEx method allows the execution of arbitrary JavaScript code...

GHSA-R87Q-FJ25-F8JF Cross-site Scripting vulnerability in SimpleXLSXEx::readThemeColors, SimpleXLSXEx::getColorValue and SimpleXLSX::toHTMLEx

Impact When calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. Patches The supplied patch resolves this vulnerability for SimpleXLSX. Use 1.1.13 Workarounds Don't use data publication via toHTMLEx This vulnerability was discovered by Aleksey Solovev Positiv...

CVE-2024-56364

SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in 1.0.12 and ending in 1.1.13, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. This vulnerability is fixed in 1.1.13...

CVE-2024-56364 Cross-site Scripting vulnerability in SimpleXLSXEx::readThemeColors, SimpleXLSXEx::getColorValue and SimpleXLSX::toHTMLEx

SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in 1.0.12 and ending in 1.1.13, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. This vulnerability is fixed in 1.1.13...

CVE-2024-56364

CVE-2024-56364 affects the SimpleXLSX PHP library. From versions 1.0.12 through 1.1.13, calling the extended toHTMLEx method could allow execution of arbitrary JavaScript, via the toHTMLEx component. The vulnerability is mitigated by upgrading to version 1.1.13 or newer, which contains the fix. R...

GHSA-MMX8-VRFG-HFMQ Piranha CMS Cross-site Scripting vulnerability

A stored cross-site scripting XSS vulnerability in Piranha CMS 11.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by creating a page via the /manager/pages and then adding a markdown content with the XSS payload...

CVE-2024-55341

A stored cross-site scripting XSS vulnerability in Piranha CMS 11.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by creating a page via the /manager/pages and then adding a markdown content with the XSS payload...

CVE-2024-9101

A reflected cross-site scripting XSS vulnerability in the 'Entry Chooser' of phpLDAPadmin version 1.2.1 through the latest version, 1.2.6.7 allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' functio...

Cross Site Scripting

SimpleXLSX is vulnerable to Cross Site Scripting. The vulnerability is due to insufficient input validation and sanitization in the toHTMLEx method, allowing the execution of arbitrary JavaScript code when processing Excel XLSx files...

Code Injection

Mongoose is vulnerable to a Code Injection. The vulnerability is due to improper use of the $where operator, which allows the execution of arbitrary JavaScript code in MongoDB queries. This could lead to code injection attacks, enabling unauthorized access to or manipulation of database data...

CVE-2024-55451

A Stored Cross-Site Scripting XSS vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend...

Rebuild 代码注入漏洞

Rebuild is a highly customizable enterprise management system. A code injection vulnerability exists in Rebuild version 3.8.5, which stems from a cross-site scripting vulnerability that allows an attacker to inject arbitrary JavaScript code...

Rebuild 代码注入漏洞

Rebuild is a highly customizable enterprise management system. A code injection vulnerability exists in Rebuild version 3.8.5, which stems from a cross-site scripting vulnerability that allows an attacker to inject arbitrary JavaScript code...

CVE-2024-55878

The CVE-2024-55878 entry affects SimpleXLSX (PHP library for parsing Excel XLSX files). The vulnerability lies in the extended toHTMLEx method, exploited when calling toHTMLEx in versions 1.0.12 through 1.1.11, allowing arbitrary JavaScript execution (XSS) in affected contexts. Impact is elevated...

CVE-2024-36494

Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The login page at /cgi/slogin.cgi suffers from XSS due to improper input filtering of the -tsetup+-uuser parameter, which can only be exploited if th...

CVE-2024-28142

Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "File Name" page /cgi/uset.cgi?-cfilename in the User Settings menu improperly filters the "file name" and wildcard character input field. By...

CVE-2024-36494

CVE-2024-36494 involves a cross-site scripting vulnerability on the login page (/cgi/slogin.cgi) caused by missing input sanitization of the -tsetup+-uuser parameter. The issue can allow an attacker to execute arbitrary JavaScript in other users’ browsers, potentially enabling phishing-focused lo...

CVE-2024-47947 Stored cross site scripting

Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function...

CVE-2024-47947

CVE-2024-47947 concerns a stored XSS vulnerability in Image Access Scan2Net/ScanWizard ecosystem. The issue arises from missing input sanitization in the configuration menu’s "Edit Disclaimer Text" function, exploitable by an attacker to inject JavaScript that runs in other users’ browsers. Affec...

CVE-2024-28142 Stored cross site scripting

Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "File Name" page /cgi/uset.cgi?-cfilename in the User Settings menu improperly filters the "file name" and wildcard character input field. By...