tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments

A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the domain, path, and samesite arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or...

tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments

A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the domain, path, and samesite arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or...

Cross-site Scripting (XSS)

Overview @haxtheweb/iframe-loader is an Adds a loading indicator for iframes. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of elements that allow javascript: URIs in the src attribute. An attacker can execute arbitrary JavaScript in the...

GHSA-JH3H-RPXG-FR36 Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover

Summary A stored cross-site scripting XSS vulnerability exists in HAX CMS due to improper sanitization of elements. The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the conte...

Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover

Summary A stored cross-site scripting XSS vulnerability exists in HAX CMS due to improper sanitization of elements. The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the conte...

CDAC e-Sushrut 安全漏洞

CDAC e-Sushrut is a system platform provided by the Indian company CDAC, which facilitates hospital information management and medical process support. There is a security vulnerability in CDAC e-Sushrut. This vulnerability stems from the leakage of sensitive information in client-side JavaScript...

EUVD-2026-3143

The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated...

PT-2025-49601

IBM Controller 11.1.0 through 11.1.1 and IBM Cognos Controller 11.0.0 through 11.0.1 FP6 could allow a privileged user to bypass validation, passing user input into the application as trusted data, due to client-side enforcement of server-side security...

CVE-2024-29194

OneUptime is a solution for monitoring and managing online services. The vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the ismasteradmin key, stored in the local storage of the browser, can be manipulated by an attacker. By...

SAP GUI 安全漏洞

SAP GUI is an application from SAP, a German company. graphical user interface for SAP systems. A security vulnerability exists in SAP GUI for Java that originates from saving user input on the client PC to improve usability, and an attacker is able to read this data...

Red Hat OpenShift Container Platform 安全漏洞

Red Hat OpenShift Container Platform is a suite of application platforms from Red Hat, Inc. that enables organizations to develop, deploy and manage existing container-based applications across physical, virtual and public cloud infrastructures. A security vulnerability exists in Red Hat OpenShif...

CVE-2024-29194 OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation

OneUptime is a solution for monitoring and managing online services. The vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the ismasteradmin key, stored in the local storage of the browser, can be manipulated by an attacker. By...

Sourcecodester Hospital Patient Records Management System跨站脚本漏洞（CNVD-2022-48761）

Sourcecodester Hospital Patient Records Management System is a Web-based application that provides an automated platform for hospitals to store and manage their patient records. A cross-site scripting vulnerability exists in version 1.0, which stems from the lack of proper validation of client-si...

livehelperchat Cross-Site Scripting Vulnerability (CNVD-2022-18521)

livehelperchat is available through Live Helper Chat, which provides free live support on the website. livehelperchat suffers from a cross-site scripting vulnerability that stems from the lack of proper validation of client-side data by the WEB application. An attacker could exploit the...

Orchard Core 跨站脚本漏洞

Net Core, an open source modular and multi-tenant application framework built using Asp.Net Core, and a content management system Cms built on top of the framework.A cross-site scripting vulnerability exists in Orchard Core, which stems from the lack of proper validation of client-side data in th...

Zulip Cross-Site Scripting Vulnerability (CNVD-2022-17016)

Zulip is a powerful open source group chat application from the Zulip team. Used to combine the immediacy of real-time chat with the productivity benefits of threaded conversations, Zulip suffers from a cross-site scripting vulnerability that stems from the WEB application's lack of proper...

Microweber Cross-Site Scripting Vulnerability (CNVD-2022-15527)

Microweber is an online store management system from the Microweber community in the United States that provides drag-and-drop functionality. The system includes modules for adding products, images, etc. A cross-site scripting vulnerability exists in GitHub, which stems from the lack of proper...

Tricentis qTest 跨站脚本漏洞

Tricentis qTest is used by Tricentis to centrally manage and understand software testing activities from conception to production. qTest has a cross-site scripting vulnerability that stems from the lack of proper validation of client-side data by the WEB application, which can be exploited by...

Taocms Cross-Site Scripting Vulnerability (CNVD-2022-11522)

Taocms is a micro Cms content management system in China. Taocms suffers from a cross-site scripting vulnerability that stems from the lack of proper validation of client-side data in the WEB application, which can be exploited by attackers to execute client-side code...

Taocms 跨站脚本漏洞

Taocms is a micro Cms content management system in China. Taocms suffers from a cross-site scripting vulnerability that stems from the lack of proper validation of client-side data in the WEB application, which can be exploited by attackers to execute client-side code...