CVE-2024-41959

CVE-2024-41959 affects mailcow: dockerized. An unauthenticated attacker can inject a JavaScript payload into the API logs, which is executed when the API logs page is viewed. This can enable malicious scripts to run in the user’s browser, potentially leading to unauthorized actions and data theft...

CVE-2024-41959 Cross-site Scripting (XSS) via API Logs in mailcow: dockerized

mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of th...

CVE-2024-41959 Cross-site Scripting (XSS) via API Logs in mailcow: dockerized

mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of th...

PT-2024-5829 · Mailcow · Mailcow

Name of the Vulnerable Software and Affected Versions: mailcow: dockerized versions prior to 2024-07 Description: The issue is related to the Relay Hosts configuration, where an authenticated admin user can inject a JavaScript payload. This payload is executed when the configuration page is viewe...

PT-2024-25029 · Silverstripe · Silverstripe/Framework

Name of the Vulnerable Software and Affected Versions: Silverstripe framework versions prior to 5.2.16 Description: A bad actor with access to edit content in the CMS could send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front e...

PT-2024-28949

Name of the Vulnerable Software and Affected Versions Outline versions prior to 0.77.3 Description A type confusion issue in ProseMirror's rendering process leads to a Stored Cross-Site Scripting XSS issue. An authenticated user can create a document with a malicious JavaScript payload, which can...

CVE-2024-6229

A stored cross-site scripting XSS vulnerability exists in the 'Upload Knowledge' feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever an...

GootLoader Malware Still Active, Deploys New Versions for Enhanced Attacks

The malware known as GootLoader continues to be in active use by threat actors looking to deliver additional payloads to compromised hosts. "Updates to the GootLoader payload have resulted in several versions of GootLoader, with GootLoader 3 currently in active use," cybersecurity firm Cybereason...

CVE-2024-5906

A cross-site scripting XSS vulnerability in Palo Alto Networks Prisma Cloud Compute software enables a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface on Prisma Cloud Compute. This enables a malicious administrator to...

CVE-2024-5906 Prisma Cloud Compute: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface

A cross-site scripting XSS vulnerability in Palo Alto Networks Prisma Cloud Compute software enables a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface on Prisma Cloud Compute. This enables a malicious administrator to...

CVE-2024-5906 Prisma Cloud Compute: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface

A cross-site scripting XSS vulnerability in Palo Alto Networks Prisma Cloud Compute software enables a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface on Prisma Cloud Compute. This enables a malicious administrator to...

Prisma Cloud Compute: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface

A cross-site scripting XSS vulnerability in Palo Alto Networks Prisma Cloud Compute software enables a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface on Prisma Cloud Compute. This enables a malicious administrator to...

CVE-2024-5673 Cross-Site Scripting in PHP File Manager by Dulldusk

Vulnerability in Dulldusk's PHP File Manager affecting version 1.7.8. This vulnerability consists of an XSS through the fmcurrentdir parameter of index.php. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session...

PT-2024-23768 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions prior to 1.0.0 Description: A stored Cross-Site Scripting XSS vulnerability exists in the mintplex-labs/anything-llm application. The vulnerability arises from the application's failure to properly sanitize...

CVE-2024-5405

A vulnerability had been discovered in WinNMP 19.02 consisting of an XSS attack via /tools/redis.php page in the k, hash, key and p parameters. This vulnerability could allow a remote user to submit a specially crafted JavaScript payload for an authenticated user to retrieve their session details...

CVE-2024-5405 Multiple vulnerabilities in WinNMP from Wtriple

A vulnerability had been discovered in WinNMP 19.02 consisting of an XSS attack via /tools/redis.php page in the k, hash, key and p parameters. This vulnerability could allow a remote user to submit a specially crafted JavaScript payload for an authenticated user to retrieve their session details...

CVE-2024-5405

WinNMP 19.02 contains an XSS vulnerability exploitable via /tools/redis.php, specifically in the k, hash, key, and p parameters. A remote attacker could inject JavaScript to fetch an authenticated user’s session details. The issue is documented across multiple sources (CVE-2024-5405, RH, NVD, CVE...

CVE-2023-49574 XSS vulnerability in VX Search Enterprise

A vulnerability has been discovered in VX Search Enterprise affecting version 10.2.14 that could allow an attacker to execute persistent XSS through /addjob in jobname. This vulnerability could allow an attacker to store malicious JavaScript payloads on the system to be triggered when the page...

CVE-2024-34241

A cross-site scripting XSS vulnerability in Rocketsoft Rocket LMS 1.9 allows an administrator to store a JavaScript payload using the admin web interface when creating new courses and new course notifications...

CVE-2024-34241

Summary: CVE-2024-34241 describes a stored XSS in Rocketsoft Rocket LMS 1.9. An administrator can inject a JavaScript payload through the admin web interface when creating new courses or course notifications, enabling script execution in the context of other users. Affected product: Rocketsoft Ro...