CVE-2024-6035

A Stored Cross-Site Scripting XSS vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410. This vulnerability allows an attacker to inject malicious JavaScript code into the chat history file. When a victim uploads this file, the malicious script is executed in the victim's browser...

CVE-2024-6035 Stored XSS in gaizhenbiao/chuanhuchatgpt

A Stored Cross-Site Scripting XSS vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410. This vulnerability allows an attacker to inject malicious JavaScript code into the chat history file. When a victim uploads this file, the malicious script is executed in the victim's browser...

PT-2024-37660

Name of the Vulnerable Software and Affected Versions bootstrap affected versions not specified Description A security issue has been discovered that could enable Cross-Site Scripting XSS attacks. The issue is associated with the data-loading-text attribute within the button plugin. This can be...

Polyfill.io Supply Chain Attack: Malicious JavaScript Injection Puts Over 100k Websites At Risk

Polyfill.io helps web developers achieve cross-browser compatibility by automatically managing necessary polyfills. By adding a script tag to their HTML, developers can ensure that features like JavaScript functions, HTML5 elements, and various APIs work across different browsers. Originally...

IBM Cloud Pak for Business Automation 跨站脚本漏洞

IBM Cloud Pak for Business Automation is a modular set of integrated software components from International Business Machines IBM, built for any hybrid cloud, designed to automate work and accelerate business growth. IBM Cloud Pak for Business Automation suffers from a cross-site scripting...

CVE-2024-6427

Uncontrolled Resource Consumption vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can use the "message" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and...

Cross Site Scripting(XSS)

Flowise is vulnerable to Cross Site ScriptingXSS. The vulnerability is caused due to improper handling of user input in the /api/v1/chatflows-streaming/id endpoint, which allows an attacker to craft a URL that injects Javascript into user sessions, potentially stealing information, creating false...

Cross-Site Scripting

flowise is vulnerable to reflected cross-site scripting XSS. The vulnerability is due to improper sanitization in the /api/v1/public-chatflows/id endpoint when a chatflow ID is not found, causing its value to be reflected in the 404 page with type text/html. Attackers can exploit this by crafting...

Cross-Site Scripting (XSS)

flowise is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient input sanitization in the /api/v1/credentials/id endpoint, which reflects user input back in the 404 page as HTML. This allows attackers to craft a URL that injects JavaScript into user sessions, enabling...

PT-2024-37619 · Mesbook · Mesbook

Name of the Vulnerable Software and Affected Versions: MESbook version 202221021.03 Description: The issue is related to an Uncontrolled Resource Consumption vulnerability. An unauthenticated remote attacker can use the message parameter to inject a payload with dangerous JavaScript code, causing...

Web Application using Malicious polyfill.io CDN (HTTP)

This script reports if a web page of the remote host is integrating JavaScript .js files hosted on the malicious polyfill.io CDN or any affiliated domain provided by the same new owner. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources,...

CVE-2024-37146 GHSL-2023-248: Flowise xss in /api/v1/credentials/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/credentials/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to craf...

CVE-2024-36992

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View that could result in execution of unauthoriz...

CVE-2024-36422 GHSL-2023-245: Flowise xss in api/v1/chatflows/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the api/v1/chatflows/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to craft a...

IBM InfoSphere Information Server 安全漏洞

IBM InfoSphere Information Server is a set of data integration platforms from International Business Machines IBM. The platform can be used to integrate data information obtained from various sources. A cross-site scripting vulnerability exists in IBM InfoSphere Information Server, which can be...

PT-2024-4807 · Ibm · Ibm Infosphere Information Server

Name of the Vulnerable Software and Affected Versions: IBM InfoSphere Information Server version 11.7 Description: The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted sessio...

OpenCart Security Vulnerabilities

OpenCart is an open source e-commerce system by the OpenCart team in Hong Kong, China. The system provides modules for product reviews, product ratings, product additions, etc. A security vulnerability exists in OpenCart. OpenCart has a security vulnerability that stems from the presence of...

Path Traversal / Code Injection

willdurand/js-translation-bundle is vulnerable to path traversal and JavaScript code injection. These vulnerabilities are due to insufficient input validation, allowing attackers to manipulate file paths and inject malicious scripts into the application...

CVE-2024-31160

The parameter used in the certain page of ASUS Download Master is not properly filtered for user input. A remote attacker with administrative privilege can insert JavaScript code to the parameter for Stored Cross-site scripting attacks...

Carbon Forum 5.9.0 - Stored XSS

Exploit Title: Persistent XSS in Carbon Forum 5.9.0 Stored Date: 06/12/2024 Exploit Author: Chokri Hammedi Vendor Homepage: https://www.94cb.com/ Software Link: https://github.com/lincanbin/Carbon-Forum Version: 5.9.0 Tested on: Windows XP CVE: N/A Vulnerability Details A persistent stored XSS...