CVE-2022-27238

BigBlueButton version 2.4.7 or earlier is vulnerable to stored Cross-Site Scripting XSS in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to t...

Cross site scripting

BigBlueButton version 2.4.7 or earlier is vulnerable to stored Cross-Site Scripting XSS in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to t...

CVE-2022-27238

BigBlueButton version 2.4.7 or earlier is vulnerable to stored Cross-Site Scripting XSS in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to t...

Bold Page Builder < 4.3.3 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. 1. Navigate to Settings - Bold Builder - Bold Builder Settings and enter "alert'XSS'" into the "Color...

WP Duplicate Page < 1.3 - Admin+ Stored Cross Site Scripting

The plugin does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. PoC 1. Navigate to Settings -Duplicate Page - Duplicate Page Settings and enter the XSS payload into...

CVE-2022-26497

BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously...

CVE-2022-26497

BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously...

CVE-2022-26497

BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously...

CVE-2022-26497

BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously...

MediaWiki Cross-site Scripting (XSS) vulnerability

In MediaWiki before 1.31.9 and 1.32.x through 1.34.x before 1.34.3, XSS related to jQuery can occur. The attacker creates a message with javascript:payload xss and turns it into a jQuery object with mw.message.parse. The expected result is that the jQuery object does not contain an tag or it does...

GHSA-MVQR-R76C-WM5F Devise Token Auth vulnerable to Cross-site Scripting

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting XSS through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects...

Devise Token Auth vulnerable to Cross-site Scripting

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting XSS through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects...

Devise Token Auth vulnerable to Cross-site Scripting

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting XSS through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects...

Cobbler XSS Vulnerability

Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting XSS vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to...

GHSA-GVCW-X64M-PFCJ Wallabag cross-site scripting (XSS) vulnerability

The Wallabag application 2.2.3 to 2.3.2 is affected by one cross-site scripting XSS vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. The vulnerability can be...

Wallabag cross-site scripting (XSS) vulnerability

The Wallabag application 2.2.3 to 2.3.2 is affected by one cross-site scripting XSS vulnerability that is stored within the configuration page. This vulnerability enables the execution of a JavaScript payload each time an administrator visits the configuration page. The vulnerability can be...

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting XSS vulnerability in cobbler-web that can result in Privilege escalation to admin.. This attack appear to...

Cross-site scripting and open redirect vulnerability on Rock RMS Login Page

Description The Rock RMS login page has a returnUrl parameter that is used to set window.location.href when the user has successfully logged in. An attacker can include a malicious JavaScript payload using a link crafted with the payload in the returnUrl parameter, such as 'javascript:...', that ...

REDCap 11.3.9 - Stored Cross Site Scripting Vulnerability

Exploit Title: REDCap 11.3.9 - Stored Cross-Site Scripting Exploit Author: Kendrick Lam References: https://github.com/KCL04/XSS-PoCs/blob/main/CVE-2021-42136.js Vendor Homepage: https://projectredcap.org Software Link: https://projectredcap.org Version: Redcap before 11.4.0 Tested on: 11.2.5 CVE...

LayerSlider < 7.1.2 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC Proof of Concept PoC: ======================= 1. The store...