5967 matches found
The vulnerability of the `defaults` function in the Lodash library allows a attacker to trigger a service failure, execute arbitrary JavaScript code, or increase their privileges.
The vulnerability of the defaults function in the Lodash library is related to insufficient validation of input data. Exploiting this vulnerability can allow an attacker to cause service failures, execute arbitrary JavaScript code, or enhance their privileges...
WebKit - UXSS via XSLT and Nested Document Replacements Exploit
VULNERABILITY DETAILS https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/xml/XSLTProcessor.cppL66 Ref XSLTProcessor::createDocumentFromSourceconst String& sourceString, const String& sourceEncoding, const String& sourceMIMEType, Node sourceNode, Frame frame Ref...
WebKit - UXSS via XSLT and Nested Document Replacements
VULNERABILITY DETAILS https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/xml/XSLTProcessor.cppL66 Ref XSLTProcessor::createDocumentFromSourceconst String& sourceString, const String& sourceEncoding, const String& sourceMIMEType, Node sourceNode, Frame frame Ref...
CVE-2019-14770
In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. This issue is mitigated by the attacker needing permissions to create...
Sql injection
In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. This issue is mitigated by the attacker needing permissions to create...
CVE-2019-14770
CVE-2019-14770 affects Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3. An attacker who can create administrative menu links (roles with such permissions) can craft menu links in the admin bar to execute JavaScript when an administrator using the search function is logged in. The root ...
CVE-2019-14770
In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. This issue is mitigated by the attacker needing permissions to create...
Firefly III Cross-Site Scripting Vulnerability (CNVD-2019-30451)
Firefly III is a free, open source, self-hosted personal finance manager. A stored cross-site scripting vulnerability exists in Firefly III 4.7.17.3. The vulnerability stems from a lack of filtering of data provided by the user in the billname field. An attacker can exploit the vulnerability to...
Design/Logic Flaw
Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field. The JavaScript code is executed during rule-from-bill creation...
Cross site scripting
A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by sending a victim a crafted URL that results in malicious javascript execution in the victim's...
The vulnerability of the Palo Alto Networks MineMeld software lies in the lack of protection for website structures, allowing attackers to execute arbitrary JavaScript code.
The vulnerability of the Palo Alto Networks MineMeld software exists due to the lack of measures taken to protect the structure of the web page. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code remotely...
Information disclosure
When processing Deeplink scheme, Happypoint mobile app 6.3.19 and earlier versions doesn't check Deeplink URL correctly. This could lead to javascript code execution, url redirection, sensitive information disclosure. An attacker can exploit this issue by enticing an unsuspecting user to open a...
CVE-2019-5457
Cross-site scripting XSS vulnerability in min-http-server all versions allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser...
CVE-2019-5458
Cross-site scripting XSS vulnerability in http-file-server all versions allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser...
CVE-2019-5458
Cross-site scripting XSS vulnerability in http-file-server all versions allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser...
PT-2019-17686 · Unknown · Min-Http-Server
Name of the Vulnerable Software and Affected Versions: min-http-server all versions Description: A cross-site scripting XSS issue allows an attacker with access to the server file system to execute arbitrary JavaScript code in a victim's browser. The package fails to sanitize filenames, enabling...
Vulnerability of the software complex: Regional electronic budget. An integration platform related to insufficient protection of web page structures, allowing attackers to execute arbitrary JavaScript code in the user’s browser.
Vulnerability of the software complex: Regional electronic budget. The integration platform is associated with insufficient protection of the web page structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code in the user’s browser remotely...
Cross-site Scripting (XSS)
stackable.js is vulnerable to Cross-Site Scripting. The library does not sanitize the output properly when constructing the HTML from the existing elements,, allowing an attacker to use a malicious payload to execute arbitrary Javascript code...
Foxit PhantomPDF Denial of Service Vulnerability (CNVD-2019-24197)
PhantomPDF is a multifunctional PDF editor. A denial of service vulnerability exists in Foxit PhantomPDF versions prior to 8.3.11. The vulnerability stems from a failure to properly validate the existence of an object before performing operations on it during JavaScript execution. An attacker cou...
UBUNTU-CVE-2019-1010261
Gitea 1.7.0 and earlier is affected by: Cross Site Scripting XSS. The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically...