StrangeBee TheHive Security Vulnerability

TheHive is a scalable open source security incident response platform. A security vulnerability exists in StrangeBee TheHive versions 5.1.0 through 5.1.9 and 5.2.0 through 5.2.8. An attacker can exploit the vulnerability to upload malicious HTML files with Javascript code...

CVE-2023-51252

PublicCMS 4.0 is vulnerable to Cross Site Scripting XSS. Because files can be uploaded and online preview function is provided, pdf files and html files containing malicious code are uploaded, an XSS popup window is realized through online viewing...

CVE-2023-1720

Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through...

CVE-2023-45281

An issue in Yamcs 5.8.6 allows attackers to obtain the session cookie via upload of crafted HTML file...

Yamcs Cross-Site Scripting Vulnerability

Yamcs is an open source software framework from Yamcs Open Source. It is used to command and control spacecraft, satellites, payloads, ground stations and ground equipment. A security vulnerability exists in Yamcs version 5.8.6, which originates from a method that allows you to upload an HTML fil...

Cockpit Cross-site Scripting vulnerability

Cross-site Scripting XSS - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. For any role that has permission to execute function assets, an attacker can upload a html file and that leads to XSS...

Cross-site Scripting (Stored XSS)

Description For any role that has permission to execute function assets, i can add a new asset. Even though the site only allows uploading images and gifs, I can still upload an html file by modifying the magic number and that leads to XSS. Proof of Concept 1. Link PoC:...

CVE-2023-27082

Cross Site Scripting XSS vulnerability in /admin.php in Pluck CMS 4.7.15 through 4.7.16-dev4 allows remote attackers to run arbitrary code via upload of crafted html file...

Pluck 跨站脚本漏洞

Pluck is a content management system CMS developed using the PHP language. A security vulnerability exists in Pluck CMS versions 4.7.15 through 4.7.16-dev4, which originates from a cross-site scripting XSS vulnerability in file /admin.php. An attacker can exploit the vulnerability by uploading a...

PT-2023-20940 · Pluck Cms · Pluck Cms

Name of the Vulnerable Software and Affected Versions: Pluck CMS versions 4.7.15 through 4.7.16-dev4 Description: The issue is related to a Cross Site Scripting XSS vulnerability. It affects the /admin.php endpoint, allowing remote attackers to run arbitrary code via the upload of a crafted html...

CVE-2023-34855

A Cross Site Scripting XSS vulnerability in Youxun Electronic Equipment Shanghai Co., Ltd AC Centralized Management Platform v1.02.040 allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /upfile.cgi...

PT-2023-25036 · Youxun Electronic Equipment (Shanghai) Co. · Ac Centralized Management Platform

Name of the Vulnerable Software and Affected Versions: Youxun Electronic Equipment Shanghai Co., Ltd AC Centralized Management Platform version 1.02.040 Description: A Cross Site Scripting XSS issue allows attackers to execute arbitrary code via uploading a crafted HTML file to the "upfile.cgi" A...

D-Link AC Centralized Management Platform 跨站脚本漏洞

D-Link AC Centralized Management Platform is a centralized management platform from China-based D-Link. A security vulnerability exists in D-Link AC Centralized Management Platform v1.02.040, which originates from a cross-site scripting XSS vulnerability that allows an attacker to execute arbitra...

CVE-2023-34856

A Cross Site Scripting XSS vulnerability in D-Link DI-7500G-CI-19.05.29A allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /authpic.cgi...

CVE-2023-34856

A Cross Site Scripting XSS vulnerability in D-Link DI-7500G-CI-19.05.29A allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /authpic.cgi...

Pydio Cells 4.1.2 Cross Site Scripting

Advisory: Pydio Cells: Cross-Site Scripting via File Download Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript 1. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web...

CVE-2023-26120

This affects all versions of the package com.xuxueli:xxl-job. HTML uploaded payload executed successfully through /xxl-job-admin/user/add and /xxl-job-admin/user/update...

CVE-2023-23707

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting', Unrestricted Upload of File with Dangerous Type vulnerability in Awsm Innovations Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files allows Stored XSS via upload of SVG and HTML files. This issue...

Design/Logic Flaw

Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid...

CVE-2023-23937 Missing file upload type validation in pimcore/pimcore

Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid...