Vega 跨站脚本漏洞

Vega is a Javscript-based software from the Vega team that can be used to create interactive visual displays. The software can describe data visualizations using JSON format and generate interactive views using HTML5 Canvas or SVG. Vega suffers from a cross-site scripting vulnerability that stems...

CVE-2024-11831

CVE-2024-11831 is a deserialization/XSS issue in the npm-serialize-javascript package. The impact is described as attackers potentially executing malicious code when serialized data is deserialized by a web browser. Connected docs confirm multiple vendors referencing this CVE: IBM Storage Ceph St...

CVE-2024-49793

Summary: CVE-2024-49793 affects IBM ApplinX 11.1 and is described as a cross-site scripting (XSS) vulnerability in the Web UI that could allow an authenticated user to inject arbitrary JavaScript, potentially leading to credentials disclosure within a trusted session. The root cause is improper h...

Prototype Pollution

Overview org.webjars.bower:php-date-formatter is an A Javascript datetime formatting and manipulation library using PHP date-time formats. Affected versions of this package are vulnerable to Prototype Pollution in php-date-formatter.js. Details Prototype Pollution is a vulnerability affecting...

CVE-2022-24358

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.1.0.52543. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the...

CVE-2022-37350

This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of...

CVE-2024-47610

InvenTree is an Open Source Inventory Management System. In affected versions of InvenTree it is possible for a registered user to store javascript in markdown notes fields, which are then displayed to other logged in users who visit the same page and executed. The vulnerability has been addresse...

CVE-2024-40700

IBM Security Verify Access Appliance and Container 10.0.0–10.0.8 are affected by CVE-2024-40700, a cross-site scripting flaw allowing an unauthenticated attacker to inject arbitrary JavaScript into the Web UI, potentially leading to credentials disclosure within a trusted session. Root cause: imp...

CVE-2024-47116

IBM Sterling B2B Integrator Standard Edition is affected by CVE-2024-47116: versions 6.0.0.0–6.1.2.5 and 6.2.0.0–6.2.0.3 are vulnerable to cross-site scripting. An authenticated user can embed arbitrary JavaScript in the Web UI, potentially leading to credentials disclosure within a trusted sessi...

Prototype Pollution

Overview org.webjars.bowergithub.shprink:canvg is a JavaScript SVG parser and renderer on Canvas. Affected versions of this package are vulnerable to Prototype Pollution in the StyleElement constructor. PoC js async = // Assuming import is set up properly import StyleElement from 'canvg'; // Outp...

CVE-2024-51457 IBM Robotic Process Automation for Cloud Pak cross-site scripting

IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.19 and 23.0.0 through 23.0.19 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to...

aEnrich a+HRD 跨站脚本漏洞

aEnrich a+HRD is a full-service human resources development solution from Acer aEnrich China. A cross-site scripting vulnerability exists in aEnrich a+HRD 7.5 and earlier versions, which stems from the presence of a reflective cross-site scripting vulnerability that allows attackers to execute...

CVE-2025-23207

KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade t...

Important: firefox security update

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. Security Fixes: firefox: Use-after-free when breaking lines in text CVE-2025-0238 firefox: Memory corruption when using JavaScript Text Segmentation CVE-2025-0241 firefox: Alt-Svc ALPN...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vulnerability through Bun's APIs that accept objects. Note: This issue relates to the widely known and actively developed 'Bun' JavaScript runtime. The...

CVE-2024-54042 Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the...

CVE-2024-54044 Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the...

CVE-2024-54044

The CVE-2024-54044 entry refers to Adobe Connect 12.6, 11.4.7 and earlier being affected by a reflected Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can lure a victim to visit a URL referencing a vulnerable page, causing malicious JavaScript to execute in the victim’s bro...

CVE-2024-9672 Reflected XSS in PaperCut MF

A reflected cross-site scripting XSS vulnerability exists in PaperCut NG/MF. This issue can be used to execute specially created JavaScript payloads in the browser. A user must click on a malicious link for this issue to occur...

GHSA-QVQV-MCXR-X8QW Slim Select has potential Cross-site Scripting issue

Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption, the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate...