15792 matches found
CVE-2023-28598
Zoom for Linux clients prior to 5.13.10 contain an HTML injection vulnerability. If a victim starts a chat with a malicious user it could result in a Zoom application crash...
CVE-2023-48003
An open redirect through HTML injection in user messages in Asp.Net Zero before 12.3.0 allows remote attackers to redirect targeted victims to any URL via the 'meta http-equiv="refresh"' in the WebSocket messages...
CVE-2023-48104
Alinto SOGo before 5.9.1 is vulnerable to HTML Injection...
CVE-2023-35075
Mattermost fails to use innerText / textContent when setting the channel name in the webapp during autocomplete, allowing an attacker to inject HTML to a victim's page by create a channel name that is valid HTML. No XSS is possible though...
CVE-2023-41316
Tolgee is an open-source localization platform. Due to lack of validation field - Org Name, bad actor can send emails with HTML injected code to the victims. Registered users can inject HTML into unsanitized emails from the Tolgee instance to other users. This unsanitized HTML ends up in invitati...
CVE-2023-47119
Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the stable branch and version 3.2.0.beta3 of the beta and tests-passed branches, some links can inject arbitrary HTML tags when rendered through our Onebox engine. The issue is patched in version 3.1.3 of the...
GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts
Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab's artificial intelligence AI assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites...
CVE-2023-43828
A Cross-site scripting XSS vulnerability in /panel/languages/ of Subrion v4.2.1 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into 'Title' parameter...
CVE-2023-48837
Car Rental Script 3.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code...
CVE-2023-48825
Availability Booking Calendar 5.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code...
CVE-2023-48827
Time Slots Booking Calendar 4.0 is vulnerable to Multiple HTML Injection issues via the name, pluginsmsapikey, pluginsmscountrycode, calendarid, title, country name, or customername parameter...
CVE-2023-41944
Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not escape the queue name parameter passed to a form validation URL, when rendering an error message, resulting in an HTML injection vulnerability...
CVE-2023-40810
OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field...
CVE-2023-38694
Umbraco is an ASP.NET content management system CMS. Starting in version 8.0.0 and prior to versions 8.18.10, 10.7.0, and 12.1.0, a user with access to a specific part of the backoffice is able to inject HTML code into a form where it is not intended. Versions 8.18.10, 10.7.0, and 12.1.0 contain ...
CVE-2023-38536
HTML injection in OpenText™ Exceed Turbo X affecting version 12.5.1. The vulnerability could result in Cross site scripting...
CVE-2023-37798
A stored cross-site scripting XSS vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter...
CVE-2023-46595
Net-NTLM leak via HTML injection in FireFlow VisualFlow workflow editor allows an attacker to obtain victim’s domain credentials and Net-NTLM hash which can lead to relay domain attacks. Fixed in A32.20 b570 or above, A32.50 b390 or above...
CVE-2023-33944
Cross-site scripting XSS vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's UR...
CVE-2023-46127
Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version...
CVE-2023-33799
A stored cross-site scripting XSS vulnerability in the Create Contacts /tenancy/contacts/ function of Netbox v3.5.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name field...