5967 matches found
Cross-Site Scripting
Overview Versions of diagram-js-direct-editing prior to 1.4.3 are vulnerable to Cross-Site Scripting. The package fails to sanitize input from the clipboard, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 1.4.3 or later. References -...
Cloud Classroom online school system suffers from override access, xss vulnerability
Cloud Classroom is the online education system of Beijing Yuxin Technology Co. Cloud Classroom online school system suffers from an override access, xss vulnerability, which can be exploited by attackers to modify other user profiles and execute js code on the browser...
CVE-2019-9673
Freenet 1483 has a MIME type bypass that allows arbitrary JavaScript execution via a crafted Freenet URI...
CVE-2019-9673
Freenet 1483 has a MIME type bypass that allows arbitrary JavaScript execution via a crafted Freenet URI...
Design/Logic Flaw
Freenet 1483 has a MIME type bypass that allows arbitrary JavaScript execution via a crafted Freenet URI...
CVE-2019-9673
Freenet 1483 has a MIME type bypass that allows arbitrary JavaScript execution via a crafted Freenet URI...
CVE-2019-9673
Freenet 1483 is affected by a MIME-type bypass that allows arbitrary JavaScript execution via a crafted Freenet URI. The root cause is improper MIME-type handling, enabling code execution without user interaction. NVD lists CVSS v2 base score 6.8 (Network, Medium complexity) and CVSS v3 base scor...
GHSA-M734-R4G6-34F9 NoSQL Injection in loopback-connector-mongodb
Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection. MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where...
NoSQL Injection in loopback-connector-mongodb
Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection. MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where...
The vulnerability of the web interface of the Cisco Registered Envelope Service allows a perpetrator to execute arbitrary JavaScript code and gain unauthorized access to the protected information.
The vulnerability of the Cisco Registered Envelope Service RES web interface lies in the lack of measures taken to protect the structure of the web page. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code and gain unauthorized access to protected informati...
Vulnerability of the software complex: Regional electronic budget. An integration platform related to insufficient protection of web page structures, allowing attackers to execute arbitrary JavaScript code in the user’s browser.
Vulnerability of the software complex: Regional electronic budget. The integration platform is associated with insufficient protection of the web page structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code in the user’s browser remotely...
The vulnerability of the Enterprise Resource Management System “Galaktika ERP” relates to insufficient protection of the website structure, allowing attackers to execute arbitrary JavaScript code in the browser of the connected client.
The vulnerability of the component that allows sending messages to connected users in the enterprise resource management system Galaktika ERP is related to insufficient protection of the website structure. Exploiting this vulnerability could allow a malicious actor to execute arbitrary JavaScript...
The vulnerability in the web interface of the Cisco Firepower Management Center’s management tool allows a perpetrator to execute arbitrary JavaScript code or gain unauthorized access to protected information.
The vulnerability of the Cisco Firepower Management Center’s web interface management interface relates to the lack of protective measures for the web page structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code or gain unauthorized access to protect...
CVE-2017-11560
An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application, an authenticated user can upload an HTML file. This HTML file is then rendered in various locations of the application. JavaScript inside the uploaded HTML is also interpreted by the applicatio...
Microsoft Internet Explorer 11 - Sandbox Escape Exploit
Exploit for windows platform in category local exploits Inject into IE11. Will work on other sandboxes that allow the opening of windows filepickers through a broker. You will gain medium IL javascript execution, at which point you simply retrigger your IE RCE bug. EDB Note Download:...
CVE-2019-10067
An issue was discovered in Open Ticket Request System OTRS 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the contex...
Design/Logic Flaw
An issue was discovered in Open Ticket Request System OTRS 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the contex...
Design/Logic Flaw
An issue was discovered in Open Ticket Request System OTRS 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment ...
DEBIAN-CVE-2019-10067
An issue was discovered in Open Ticket Request System OTRS 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the contex...
CVE-2019-10066
An issue was discovered in Open Ticket Request System OTRS 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment ...