CVE-2022-23047

Exponent CMS 2.6.0patch2 is affected: an authenticated admin can inject persistent JavaScript into the Site/Organization Name, Site Title, and Site Header when updating settings via /exponentcms/administration/configure_site. Several connected sources describe this as a cross-site scripting issue...

CVE-2022-24682

An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 update 1, as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing...

CVE-2022-24682

An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 update 1, as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing...

PT-2022-4547

Name of the Vulnerable Software and Affected Versions Zimbra Collaboration Suite versions 8.8.x through 8.8.15 patch 29 Description An issue was discovered in the Calendar feature, allowing an attacker to place HTML containing executable JavaScript inside element attributes. This markup becomes...

CVE-2022-0473

OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions...

CVE-2022-0473

OTRS administrators can configure dynamic field and inject malicious JavaScript code in the error message of the regular expression check. When used in the agent interface, malicious code might be exectued in the browser. This issue affects: OTRS AG OTRS 7.0.x version: 7.0.31 and prior versions...

OTRS 跨站脚本漏洞

OTRS is an open source defect tracking and management system software. OTRS suffers from a cross-site scripting vulnerability that originates in a dynamic field that can be configured by OTRS administrators, where malicious JavaScript code can be injected in the error message of a regular...

CVE-2022-0218

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the /includes/class-template-designer.php file, in versions up to...

Cross-site Scripting (XSS)

pimcore/pimcore is vulnerable to cross-site scripting. The vulnerability exists in getTreeAction function of ClassController.php because the icon field has not been escaped which allows an attacker to inject and execute arbitrary javascript...

Synel Eharmonynew 跨站脚本漏洞

Synel Eharmonynew is an attendance system from Synel Israel. Synel Eharmonynew suffers from a cross-site scripting vulnerability that allows an attacker to inject JS code into the comments field and could lead to potential cookie theft, HTML markup, and JS code being loaded into the system...

Mageia: Security Advisory (MGASA-2014-0400)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2021-46065

A Cross-site scripting XSS vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code...

CVE-2022-23008

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software...

CVE-2022-23008

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software...

CVE-2022-23008

On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software...

CVE-2022-23008

Summary: CVE-2022-23008 affects the NGINX Controller API Management software (versions 3.18.0–3.19.0). Vulnerability: An authenticated user with the user or admin role can access undisclosed API endpoints to inject JavaScript that runs on managed NGINX data plane instances. The Red Hat advisory c...

PT-2022-15775 · Nginx · Nginx Controller Api Management

Name of the Vulnerable Software and Affected Versions: NGINX Controller API Management versions 3.18.0 through 3.19.0 Description: An authenticated attacker with access to the user or admin role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is...

F5 Nginx 跨站脚本漏洞

The F5 NGINX Controller is a self-service, API-driven platform for managing NGINIX Plus that can be easily integrated into CI/CD workflows to accelerate application deployment and simplify application lifecycle management. user" or "admin" role access and authenticated attackers can use an...

CVE-2022-23045

PhpIPAM v1.4.4 allows an authenticated admin user to inject persistent JavaScript code inside the "Site title" parameter while updating the site settings. The "Site title" setting is injected in several locations which triggers the XSS...

phpIPAM 跨站脚本漏洞

phpIPAM is an open source PHP and MySQL-based IP address management application IPAM. phpIPAM in v1.4.4 is vulnerable to a cross-site scripting vulnerability that stems from a lack of user-supplied data and output data validation filtering in the Site title parameter when updating site settings. ...