115 matches found
HCL Unica Platform 安全漏洞
HCL Unica Platform is a state-of-the-art enterprise automated marketing platform from HCL India. It handles routine marketing tasks and captures the most effective leads without the need for manual intervention. HCL Unica Platform suffers from a security vulnerability that stems from cookies not...
EUVD-2016-10647
Malware in sbrugna...
CVE-2025-57424
A stored cross-site scripting XSS vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker can insert arbitrary JavaScript into their profile, which executes in the browser of any user viewing it, including administrators. Due to the absence of the...
PT-2025-39175
Name of the Vulnerable Software and Affected Versions WSO2 products affected versions not specified Description An authenticated stored cross-site scripting XSS issue exists because of insufficient validation of user-provided input when uploading API documents within the Publisher portal. An...
Linux Distros Unpatched Vulnerability : CVE-2023-4639
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker...
GHSA-CXRX-Q234-M22M io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorize...
CVE-2024-49764 LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/capture.inc.php
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A Stored Cross-Site Scripting XSS vulnerability in the "Capture Debug Information" page allows authenticated users to inject arbitrary JavaScript through the "hostname" parameter when creating a new device. This...
CVE-2024-32877 Reflected Cross-site Scripting in yiisoft/yii2 Debug mode
Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 2.0.49.3. This issue lies in the mechanism for...
undertow: Cookie Smuggling/Spoofing
A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized da...
K15273: Apache vulnerability CVE-2012-0053
Security Advisory Description protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request aka 400 error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a 1 long o...
SUSE CVE-2016-9848
An issue was discovered in phpMyAdmin. phpinfo phpinfo.php shows PHP information including values of HttpOnly cookies. All 4.6.x versions prior to 4.6.5, 4.4.x versions prior to 4.4.15.9, and 4.0.x versions prior to 4.0.10.18 are affected...
CVE-2022-45411
Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitigate this attack, browsers placed limits on fetch and XMLHttpReques...
Mozilla: Cross-Site Tracing was possible via non-standard override headers
The Mozilla Foundation Security Advisory describes this flaw as: Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitiga...
Mozilla: Cross-Site Tracing was possible via non-standard override headers
The Mozilla Foundation Security Advisory describes this flaw as: Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitiga...
Mozilla: Cross-Site Tracing was possible via non-standard override headers
The Mozilla Foundation Security Advisory describes this flaw as: Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitiga...
Mozilla: Cross-Site Tracing was possible via non-standard override headers
The Mozilla Foundation Security Advisory describes this flaw as: Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitiga...
Mozilla: Cross-Site Tracing was possible via non-standard override headers
The Mozilla Foundation Security Advisory describes this flaw as: Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript such as cookies protected by HTTPOnly. To mitiga...
Linktree: XSS in SocialIcon Link
XSS in SocialIcon Link There was no validation of the url provided for the SocialIcon Link , which allowed to include javascript uri . As the cookies were marked as httponly , I couldn't steal them directly via the xss so instead I found an endpoint which was leaking the accessToken used for...
GHSA-47WC-P5CP-W7PW Exposure of Sensitive Information to an Unauthorized Actor in Jenkins
Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly...
WordPress WPSchoolPress 2.1.16 Plugin - (Multiple) Cross Site Scripting Vulnerability
Exploit Title: WordPress Plugin WPSchoolPress 2.1.16 - 'Multiple' Cross Site Scripting XSS Exploit Author: Davide Taraschi Vendor Homepage: https://wpschoolpress.com/ Software Link: https://wpschoolpress.com/free-download/ Version: up to 2.1.17 non included Tested on: Ubuntu 20.04 over WordPress...