132 matches found
CVE-2022-2565
The Simple Payment Donations & Subscriptions WordPress plugin before 4.2.1 does not sanitise and escape user input given in its forms, which could allow unauthenticated attackers to perform Cross-Site Scripting attacks against admins...
PT-2022-18477 · Hcl · Hcl Notes
Name of the Vulnerable Software and Affected Versions: HCL iNotes affected versions not specified Description: The issue is caused by improper validation of user-supplied input in a form POST request, leading to a Reflected Cross-site Scripting XSS vulnerability. A remote attacker could exploit...
CVE-2022-27546
HCL iNotes is susceptible to a Reflected Cross-site Scripting XSS vulnerability caused by improper validation of user-supplied input supplied with a form POST request. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's web browser with...
CVE-2022-30611
IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.15.0 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using some fields of the form in the portal UI to inject malicious script into a Web page whic...
GHSA-QGRR-F26J-87VF MantisBT XXS where a Custom Field with a crafted Regular Expression property is used
An issue was discovered in MantisBT before 2.24.3. When editing an Issue in a Project where a Custom Field with a crafted Regular Expression property is used, improper escaping of the corresponding form input's pattern attribute allows HTML injection and, if CSP settings permit, execution of...
Google Pagespeed Insights < 4.0.4 - Reflected Cross-Site Scripting
The plugin does not sanitise and escape various parameters before outputting them back in attributes in the plugin's settings dashboard, leading to Reflected Cross-Site Scripting...
WP Google Fonts < 3.1.5 - Reflected Cross-Site Scripting
The plugin does not escape the googlefontajaxname and googlefontajaxfamily parameter of the googlefontaction AJAx action available to any authenticated user before outputing them in attributes, leading Reflected Cross-Site Scripting issues var form1 = document.getElementById'hack'; //form1.submit...
Crocoblock JetEngine Cross-Site Scripting Vulnerability
Crocoblock JetEngine is a dynamic content plugin that allows you to build complex websites quickly and cost-effectively.A cross-site scripting vulnerability exists in Crocoblock JetEngine that can be exploited by attackers to perform XSS via custom form input...
CVE-2021-38607
Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input...
Cross site scripting
Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input...
CVE-2021-38607
Crocoblock JetEngine before 2.6.1 allows XSS by remote authenticated users via a custom form input...
CVE-2021-38607
CVE-2021-38607 affects Crocoblock JetEngine prior to 2.6.1, where XSS is possible via a custom form input by remote authenticated users. The issue stems from an input handling flaw in the plugin component responsible for form data, enabling reflected or stored XSS depending on how the input is pr...
Crocoblock JetEngine 跨站脚本漏洞
Crocoblock JetEngine is a dynamic content plugin that allows you to build complex websites quickly and cost-effectively.A cross-site scripting vulnerability exists in Crocoblock JetEngine that can be exploited by attackers to perform XSS via custom form input...
RSS for Yandex Turbo <= 1.30 - Authenticated Stored XSS
The plugin does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfilteredhtml capability is disallowed. PoC Vulnerable parameters: =, =, =, =, =, =. PoC 1 |...
UBUNTU-CVE-2020-13663
Cross Site Request Forgery vulnerability in Drupal Core Form API does not properly handle certain form input from cross-site requests, which can lead to other vulnerabilities...
Triconsole Datepicker Calendar 跨站脚本漏洞
Triconsole Datepicker Calendar is a Triconsole open source application. Provides a calendar component . A cross-site scripting vulnerability exists in Triconsole Datepicker Calendar prior to version 3.77, which stems from calendarform.php not fully validating user input, which allows an attacker ...
DRUPAL-CONTRIB-2020-014
This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently filter user input under in the scenario when a webform is edited, namely the message related to character min/max counter does not undergo sufficient filtering and thus allows execution of JavaScript cod...
Chained Quiz < 1.1.9.1 - Authenticated Stored XSS
WordPress Plugin Plugin Chained Quiz latest 1.1.9 and before suffers from a Stored XSS vulnerability in the sendername, adminsubject and usersubject POST parameter when an admin completes the setting for plugin as a result, the severity is very low POST /wp-admin/admin.php?page=chainedquizoptions...
CVE-2019-19679
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue...
CVE-2018-11773
Apache VCL versions 2.1 through 2.5 do not properly validate form input when processing a submitted block allocation. The form data is then used as an argument to the php built in function strtotime. This allows for an attack against the underlying implementation of that function. The...