CVE-2023-34457 MechanicalSoup vulnerable to malicious web server reading arbitrary files on client using file input inside HTML form

MechanicalSoup is a Python library for automating interaction with websites. Starting in version 0.2.0 and prior to version 1.3.0, a malicious web server can read arbitrary files on the client using a inside HTML form. All users of MechanicalSoup's form submission are affected, unless they took...

Pannres-Idence CMS 7.3 Cross Site Request Forgery

==================================================================================================================================== | Title : Pannres-idence CMS 7.3 CSRF Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 66.0.332-bit | |...

FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field

The plugin does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the...

K48321015: The BIG-IP Advanced WAF and ASM systems may fail to correctly enforce HTML form login pages

Security Advisory Description The BIG-IP Advanced WAF and ASM systems may fail to correctly enforce HTML form login pages when the request contains an incorrectly formatted parameter. This issue occurs when the security policy includes a configuration that enables brute force protection for the...

Demanzo Matrimony 1.5 Cross Site Request Forgery

==================================================================================================================================== | Title : Demanzo Matrimony v.1.5 CSRF Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 109.0.132-bit | |...

SUSE CVE-2008-3422

Multiple cross-site scripting XSS vulnerabilities in the ASP.net class libraries in Mono 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted attributes related to 1 HtmlControl.cs PreProcessRelativeReference, 2 HtmlForm.cs RenderAttributes, 3 HtmlInputButton...

SUSE CVE-2013-1724

Use-after-free vulnerability in the mozilla::dom::HTMLFormElement::IsDefaultSubmitElement function in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code or cause a denial of service heap memory corruption via vectors...

SUSE CVE-2013-2927

Use-after-free vulnerability in the HTMLFormElement::prepareForSubmission function in core/html/HTMLFormElement.cpp in Blink, as used in Google Chrome before 30.0.1599.101, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to...

FL3R FeelBox <= 8.1 - Moods Reset via CSRF

The plugin does not have CSRF check when updating reseting moods which could allow attackers to make logged in admins perform such action via a CSRF attack and delete the lydlposts & lydlpoststimestamp DB tables Make a logged in admin open a page containing the HTML code below...

CVE-2021-4284

A vulnerability classified as problematic has been found in OpenMRS HTML Form Entry UI Framework Integration Module up to 1.x. This affects an unknown part. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.0.0 is able to addres...

Cross site scripting

A vulnerability classified as problematic has been found in OpenMRS HTML Form Entry UI Framework Integration Module up to 1.x. This affects an unknown part. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.0.0 is able to addres...

CVE-2021-4284

OpenMRS HTML Form Entry UI Framework Integration Module (up to 1.x) contains a cross-site scripting vulnerability. The affected component is tied to the Single-Input UI Framework Integration Module, with remote initiation possible and no specific affected version beyond 1.x identified in the prov...

PT-2022-11701 · Openmrs · Openmrs Html Form Entry Ui Framework Integration Module

Name of the Vulnerable Software and Affected Versions: OpenMRS HTML Form Entry UI Framework Integration Module versions up to 1.x Description: A vulnerability has been found in the OpenMRS HTML Form Entry UI Framework Integration Module, which affects an unknown part and leads to cross-site...

Mautic Integration For WooCommerce < 1.0.3 - Arbitrary Options Update via CSRF

The plugin does not have proper CSRF check when updating settings, and does not ensure that the options to be updated belong to the plugin, allowing attackers to make a logged in admin change arbitrary blog options via a CSRF attack. The attack could also be performed via a LFI if one is present ...

CSRF on SSL certificates deletion

📜 Description Cross-site request forgery also known as CSRF is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform using form submissions. It allows an attacker to partly circumvent the same origin policy, which is designed to...

Default credentials

A flaw was found in the RHDM, where sensitive HTML form fields like Password has auto-complete enabled which may lead to leak of credentials...

Role Based Pricing for WooCommerce < 1.6.2 - Subscriber+ Arbitrary File Upload

The plugin does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP As a subscriber, open the HTML code below while being logged in as a subscriber, then choose a file to...

Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Deletion

The plugin does not have any authorisation and CSRF checks in place when deleting events which could allow unauthenticated attackers to delete arbitrary events As an unauthenticated user, open the code below, this will delete the event with ID 4 from the calendar with ID 1...

Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS

The plugin does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. As an...

Social Slider Feed < 2.0.5 - Subscriber+ Stored XSS via Feeds

The plugin does not have authorisation and CSRF check in place when adding and editing a Feed, and does not sanitise as well as escape user input. As a result, users with a role as low as subscriber could add arbitrary feeds, with Stored Cross-Site Scripting payloads in them. As any authenticated...