Wing FTP Cross-Site Scripting Vulnerability

Wing FTP Server is a cross-platform FTP server software. A cross-site scripting vulnerability exists in Wing FTP version 6.4.4, where an arbitrary IFRAME element can be included in a help page via a specially crafted link, which can be exploited by an attacker to execute sandbox arbitrary HTML an...

Wing FTP 跨站脚本漏洞

Wing FTP Server is a cross-platform FTP server software. A cross-site scripting vulnerability exists in Wing FTP version 6.4.4, where an arbitrary IFRAME element can be included in a help page via a specially crafted link, which can be exploited by an attacker to execute sandbox arbitrary HTML an...

Server-Side Request Forgery in html-pdf-chrome

Recommendation This package is working as intended. A Security section has been added since v0.6.1 to detail proper usage of this library. Npm has revoked their advisory altogether. Original Advisory All versions of html-pdf-chrome are vulnerable to Server-Side Request Forgery SSRF. The package...

Cross-site Scripting (XSS)

trix is vulnerable to cross site scripting XSS attacks. The Trix editor allows the execution of Javsascript when the content that is copy and pasted from the clipboard into the editor contains HTML...

Cross-Site Scripting (XSS)

vuetify is vulnerable to cross-site scripting XSS attacks. The user inputs are directly rendered and executed as HTML without sanitation in 'VInput.ts', allowing an attacker to inject arbitrary Javascript...

The vulnerability of the Expedition Migration tool, which exists due to the lack of measures taken to protect the website structure, allows a hacker to execute arbitrary JavaScript or HTML code.

The vulnerability of the Network Configuration Transfer tool exists because no measures have been taken to protect the website structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript or HTML code remotely...

CVE-2019-7341

Reflected - Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'newMonitorLinkedMonitors' parameter value in the view monitor monitor.php because proper filtration is omitted...

CVE-2019-7344

Reflected XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code in the view 'filter' as it insecurely prints the 'filterName' aka Filter name value on the web page without applying any proper filtration...

Cross site scripting

A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/blocks/blocks/edit/8...

DEBIAN-CVE-2018-16477

A bypass vulnerability in Active Storage = 5.2.0 for Google Cloud Storage and Disk services allow an attacker to modify the content-disposition and content-type parameters which can be used in with HTML files and have them executed inline. Additionally, if combined with other techniques such as...

CVE-2018-19420

In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension e.g., the test or test.asdf filename, because of admin/upload-uploadify.php, and validatesafefile in...

Design/Logic Flaw

osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. The .htaccess file in catalog/images/ bans the html extension, but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension e.g.,...

PoC Attack Leverages Microsoft Office and YouTube to Deliver Malware

A stealthy malware delivery tactic has been uncovered in the way videos are embedded into Microsoft Word Documents, according to researchers. It allows JavaScript code-execution when a user clicks on a weaponized YouTube video thumbnail within a Word document – with no alert message displayed by...

McAfee Threat Intelligence Exchange Server Code Injection Vulnerability

McAfee Threat Intelligence Exchange TIE Server is the United States McAfee McAfee company's set of threat detection and corresponding solutions. The program includes real-time protection, threat detection and endpoint protection. ePolicy Orchestrator ePO extension is one of the security managemen...

Cross site scripting

A stored cross-site scripting vulnerability in CA Identity Governance 12.6 allows remote authenticated attackers to display HTML or execute script in the context of another user...

Cross site scripting

RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-site scripting via the Questionnaire ID field. An authenticated attacker may potentially exploit this to execute arbitrary HTML in the user's browser session in the context of the affected RSA Archer application...

HackerOne: Lack of input sanitization in Marketo form leads to execution of HTML in lead emails

Hi, There is SSRF vulnerability due to img tag injection in "Contact HackerOne Sales" form. Since vulnerability triggers after 18-20 minutes so I am not sure which site it affects. It might affect hackerone or marketo. So I thought it would be better to report it first on hackerone. POC 1. Naviga...

CVE-2017-6395

An issue was discovered in HashOver 2.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the 'hashover/scripts/widget-output.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website...

CVE-2017-6395

An issue was discovered in HashOver 2.0. The vulnerability exists due to insufficient filtration of user-supplied data passed to the 'hashover/scripts/widget-output.php' URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website...

CVE-2016-10215

An issue was discovered in Fastspot BigTree bigtree-form-builder before 1.2. The vulnerability exists due to insufficient filtration of user-supplied data in multiple HTTP POST parameters passed to a "site/index.php/../../extensions/com.fastspot.form-builder/ajax/redraw-field.php" URL. An attacke...