105 matches found
CVE-2025-56379
A stored cross-site scripting XSS vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field...
📄 ERPNext 15.67.0 / Frappe 15.72.4 Cross Site Scripting
ERPNext version 15.67.0 and Frappe version 15.72.4 suffer from a persistent cross site scripting vulnerability. CVE-2025-56379 — Stored Cross-Site Scripting XSS in ERPNext 15.67.0 / Frappe 15.72.4 📌 Summary A stored Cross‑Site Scripting XSS vulnerability exists in the Blog module of ERPNext...
CVE-2025-56379
A stored cross-site scripting XSS vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field...
CVE-2025-56379
A stored cross-site scripting XSS vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field...
CVE-2025-56379
CVE-2025-56379: A stored XSS in ERPNext v15.67.0 blog module (Frappe v15.72.4) via the blog post content field. An authenticated user who can create/edit posts can inject crafted HTML/JS; payload is stored and can execute in other users’ browsers viewing the post. Affected components: ERPNext Blo...
CVE-2025-56379
A stored cross-site scripting XSS vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field...
PT-2025-40352
Name of the Vulnerable Software and Affected Versions ERPNEXT version 15.67.0 Description A stored cross-site scripting XSS issue exists in the blog post feature. An attacker can inject a crafted payload into the content field, potentially leading to the execution of arbitrary web scripts or HTML...
CVE-2025-56379
A stored cross-site scripting XSS vulnerability in the blog post feature of ERPNEXT v15.67.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the content field...
CVE-2025-58365 XWiki Blog Application: Privilege Escalation (PR) from account through blog content
The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Prior to version 9.14, the blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit their own user...
PT-2025-36622
Impact The blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit their own user profile. To exploit, it is sufficient to add an object of type Blog.BlogPostClass to any page and to add some...
GHSA-H8GX-4HHM-W45V Liferay Portal stored cross-site scripting in text field of the web content structure
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject...
CVE-2024-51026
The NetAdmin IAM system version 4.0.30319 has a Cross Site Scripting XSS vulnerability in the /BalloonSave.ashx endpoint, where it is possible to inject a malicious payload into the Content= field...
CVE-2021-35415
A stored cross-site scripting XSS vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields...
CVE-2018-10422
An issue was discovered in HongCMS 3.0.0. The post news feature has Stored XSS via the content field...
PT-2025-9093 · Cyberark · Cyberark Endpoint Privilege Manager
Name of the Vulnerable Software and Affected Versions: CyberArk Endpoint Privilege Manager version 24.7.1 Description: The issue allows for HTML code injection into the page content through the content field in the Application definition page. The estimated number of potentially affected devices...
CVE-2024-35621
A cross-site scripting XSS vulnerability in the Edit function of Formwork before 1.13.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content field...
CVE-2024-51026
The NetAdmin IAM system version 4.0.30319 has a Cross Site Scripting XSS vulnerability in the /BalloonSave.ashx endpoint, where it is possible to inject a malicious payload into the Content= field...
CVE-2024-51026
CVE-2024-51026 affects NetAdmin IAM system v4.0.30319. The vulnerability is a Cross Site Scripting (XSS) issue in the /BalloonSave.ashx endpoint, where an attacker can inject a payload into the Content field. Affected component: BalloonSave.ashx handling in NetAdmin IAM; root cause: unsanitized C...
CVE-2024-51026
The NetAdmin IAM system version 4.0.30319 has a Cross Site Scripting XSS vulnerability in the /BalloonSave.ashx endpoint, where it is possible to inject a malicious payload into the Content= field...
PT-2024-34493 · Unknown · Netadmin Iam System
Name of the Vulnerable Software and Affected Versions: NetAdmin IAM system version 4.0.30319 Description: The issue concerns a Cross Site Scripting XSS vulnerability. It affects the "/BalloonSave.ashx" endpoint, where a malicious payload can be injected into the Content field. Recommendations: Fo...