Argo CD's external URLs for Deployments can include JavaScript

Impact All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting XSS bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions up to and including admin. The scri...

Cross-site Scripting (XSS)

microweber/microweber is vulnerable to cross-site scripting. The vulnerability exists due to the lack of sanitization in the type parameter, allowing an attacker to inject and execute malicious javascript...

CVE-2022-29034

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.1. An error message pop up window in the web interface of the affected application does not prevent injection of JavaScript code. This could allow attackers to perform reflected cross-site scripting XSS attacks...

CVE-2022-29034

A vulnerability has been identified in SINEMA Remote Connect Server All versions V3.1. An error message pop up window in the web interface of the affected application does not prevent injection of JavaScript code. This could allow attackers to perform reflected cross-site scripting XSS attacks...

CVE-2022-29034

Siemens SINEMA Remote Connect Server is affected for all versions prior to 3.1. The vulnerability is a reflected cross-site scripting (XSS) flaw in the web interface where an error message popup window does not prevent JavaScript injection. Under CVSS3.1, base score 6.1 (NETWORK, LOW attack compl...

CVE-2022-1695

The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form...

CVE-2022-1695

The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form...

Cross site request forgery (csrf)

The WP Simple Adsense Insertion WordPress plugin before 2.1 does not perform CSRF checks on updates to its admin page, allowing an attacker to trick a logged in user to manipulate ads and inject arbitrary javascript via submitting a form...

RosarioSIS 跨站脚本漏洞

RosarioSIS Student Information System, designed for school administration, is designed to meet the most important needs of administrators, teachers, support staff, parents, students and clerical staff, however, it also adds many components not normally found in student information systems. versio...

WordPress plugin WP Simple Adsense Insertion 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress WP Simple Adsense Insertion plugin prior to version 2.1 is vulnerable to cross-site request...

FlatCore-CMS 跨站脚本漏洞

flatCore-CMS is a PHP and MySQL/SQLite based Web Content Management System CMS. flatCore-CMS version 2.0.9 is vulnerable to a cross-site scripting XSS vulnerability. An attacker could use this vulnerability to inject malicious JavaScript programs, steal cookies from other users, etc...

SeedDMS 跨站脚本漏洞

SeedDMS formerly known as LetoDMS and MyDMS is a PHP and MySql based document management system used to store and share documents. SeedDMS versions 6.0.18 and 5.1.25 contain a cross-site scripting vulnerability that stems from the Add category function in the Global Keyword menu, which is prone t...

GHSA-MJ46-R4GR-5X83 Unsanitized JavaScript code injection possible in gatsby-plugin-mdx

Impact The gatsby-plugin-mdx plugin prior to versions 3.15.2 and 2.14.1 passes input through to the gray-matter npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present when passing input in both webpack MDX fil...

CVE-2022-32269

In Real Player 20.0.8.310, the G2 Control allows injection of unsafe javascript: URIs in local HTTP error pages displayed by Internet Explorer core. This leads to arbitrary code execution...

Dokan < 3.6.4 - Vendor Stored Cross-Site Scripting

The plugin allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators. PoC As a vendor, add a review in any products with following payload: https://youtu.be/gGUNSG5s5JU...

Denial Of Service (DoS)

protobuf is vulnerable to denial of service. The vulnerability exists due to a lack of sanitization in google.protobuf.UnknownFieldSet parameter which allows a remote attacker to inject a malicious javascript into the system and crash. which allowing an attacker to...

WordPress plugin Advanced Contact form 7 DB 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress Advanced Contact form 7 DB 1.8.7 and its previous versions have a cross-site scripting vulnerability, which can be exploited by...

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via form fields. An attacker can execute arbitrary JavaScript in the context of a victim's browser by injecting malicious scripts into vulnerable...

Moodle Cross-site Scripting (XSS)

A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8...

GHSA-4W4J-9533-82QG Moodle Cross-site Scripting (XSS)

A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8...