4382 matches found
U.S. Dept Of Defense: [█████] — DOM-based XSS on endpoint `/?s=`
Description GET parameter s is vulnerable to DOM-based XSS on endpoint /?s=. XSS affects all users and no authentication or login is required. Proof of Concept Visit the following URL for PoC: https://██████/?s=%27%3E%3Cscript%3Ealertdocument.domain%3C/script%3E █████████ Explanation This DOM-bas...
CVE-2019-16414
A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI...
CVE-2019-16414
A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI...
Default credentials
A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI...
ForeScout Technologies: DOM XSS at www.forescout.com in Microsoft Edge and IE Browser
Summary: I've found an DOM Based XSS on homepage Steps To Reproduce: 1.Go to this url and you'll see alert pop https://www.forescout.com/ But this will work just on ME/IE browsers because chrome and firefox have default encode system hash url And vulnerable code is on your directly source code...
CVE-2019-16414
A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI...
CVE-2019-16414
CVE-2019-16414 affects GFI Kerio Control v9.3.0. A DOM-based XSS flaw in the login path (e.g., login/?reason=failure&NTLM=) can be used to embed malicious code and exfiltrate a victim’s credentials in cleartext. Multiple connected sources (NVD, Red Hat advisories, CVE pages, CNVD, CVE lists, and ...
Cross site scripting
DOM-based cross-site scripting vulnerability in Cybozu Garoon 4.6.0 to 4.10.2 allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors...
CVE-2019-5975
CVE-2019-5975 affects Cybozu Garoon 4.6.0–4.10.2 with a DOM-based cross-site scripting vulnerability in the Portal component (CWE-79). Root cause: insufficient input validation allows an authenticated user to cause arbitrary script/HTML execution in the user’s browser via unspecified vectors. Imp...
GHSA-536Q-8GXX-M782 Cross-Site Scripting in dojo
Versions of dojo prior to 1.4.2 are vulnerable to DOM-based Cross-Site Scripting XSS. The package does not sanitize URL parameters in the testCommon.js and runner.html test files, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.4.2 o...
Cross-Site Scripting in dojo
Versions of dojo prior to 1.4.2 are vulnerable to DOM-based Cross-Site Scripting XSS. The package does not sanitize URL parameters in the testCommon.js and runner.html test files, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.4.2 o...
Escalation of Privilege in Twistlock
An HTML injection vulnerability has been identified in the Twistlock Console that can lead to a DOM based XSS attack under certain configurations. Ref , CVE-2019-1583 Successful exploitation of this vulnerability allows a Twistlock user with Operator capabilities to escalate privileges to that of...
Rockstar Games: Warehouse dom based xss may lead to Social Club Account Taker Over.
The researcher brought our attention to a DOM-based Cross-Site Scripting vulnerability. Although issues on rockstarwarehouse.com are typically out of scope, this had an explicit impact on Social Club account security, so we decided we needed to act. The vulnerability only affected Internet Explor...
Sessvars < 1.01 DOM-based Cross-Site Scripting
According to its self-reported version number, Sessvars is prior to 1.01. Therefore, it may be affected by a DOM-based cross-site scripting vulnerability. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. No source...
Multiple vulnerabilities in Access analysis CGI An-Analyzer
Overview Access analysis CGI An-Analyzer provided by ANGLERSNET Co,.Ltd. contains multiple vulnerabilities listed below. OS command injection in the Management Page CWE-78 - CVE-2019-5987 Stored cross-site scripting in the Management Page CWE-79 - CVE-2019-5988 DOM-based cross-site scripting in t...
Cross-Site Scripting
Overview Versions of dojo prior to 1.4.2 are vulnerable to DOM-based Cross-Site Scripting XSS. The package does not sanitize URL parameters in the testCommon.js and runner.html test files, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to versio...
Upserve : DOM Based XSS via postMessage at https://inventory.upserve.com/login/
Description DOM based XSS is possible at https://inventory.upserve.com/login/ due to insecure origin checking when receiving a postMessage. POC 1. Visit https://hq.upserve.com.████████/upservexss.html 2. Click link 3. View alert on https://inventory.upserve.com Vulnerable Code javascript...
CVE-2019-3490
A DOM based XSS vulnerability has been identified in the Netstorage component of Open Enterprise Server OES allowing a remote attacker to execute javascript in the victims browser by tricking the victim into clicking on a specially crafted link. This affects OES versions OES2015SP1, OES2018, and...
Design/Logic Flaw
A DOM based XSS vulnerability has been identified in the Netstorage component of Open Enterprise Server OES allowing a remote attacker to execute javascript in the victims browser by tricking the victim into clicking on a specially crafted link. This affects OES versions OES2015SP1, OES2018, and...
CVE-2019-3490
A DOM based XSS vulnerability has been identified in the Netstorage component of Open Enterprise Server OES allowing a remote attacker to execute javascript in the victims browser by tricking the victim into clicking on a specially crafted link. This affects OES versions OES2015SP1, OES2018, and...