CVE-2023-37360

pacparserfindproxy in Pacparser before 1.4.2 allows JavaScript injection, and possibly privilege escalation, when the attacker controls the URL which may be realistic within enterprise security products...

CVE-2023-37360

pacparserfindproxy in Pacparser before 1.4.2 allows JavaScript injection, and possibly privilege escalation, when the attacker controls the URL which may be realistic within enterprise security products...

XSS Reflected via import file funtion

Description The application does import data from the file without cleaning the data inside before processing, resulting in javascript code that can be injected and triggered when the victim executes the function. Proof of Concept Step1: The attacker creates a .csv file containing a payload to...

PT-2023-25856 · Mediawiki +1 · Googleanalyticsmetrics +1

Name of the Vulnerable Software and Affected Versions: GoogleAnalyticsMetrics extension for MediaWiki versions through 1.39.3 Description: An issue was discovered in the googleanalyticstrackurl parser function, which does not properly escape JavaScript in the onclick handler and does not prevent...

CVE-2023-35156

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as:...

CVE-2023-35159

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as:...

Code injection

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as:...

CVE-2023-35156 XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as:...

CVE-2023-35155 XWiki Platform vulnerable to cross-site scripting in target parameter via share page by email

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. For instance, the following URL execute an alter on the browser:...

XWiki Platform 跨站脚本漏洞

XWiki Platform is a suite of Wiki platforms for creating web collaboration applications from the XWiki Foundation in France. A security vulnerability exists in XWiki Platform. An attacker could use this vulnerability to inject Javascript code into a page by forging a URL and trigger a cross-site...

XWiki Platform 安全漏洞

XWiki Platform is a suite of Wiki platforms for creating web collaboration applications from the XWiki Foundation in France. A security vulnerability exists in XWiki Platform versions prior to 9.4-rc-1. An attacker can exploit this vulnerability to inject Javascript code into a page by forging a...

Cross-Site Scripting (XSS)

kiwitcms is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to a lack of file content validation in the denyuploadscontainingscripttag function of validators.py, which allows an attacker to inject arbitrary JavaScript code into a victim's browser...

Home Assistant < 0.57 XSS Vulnerability

Home Assistant is prone to a cross-site scription XSS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Cross-Site Scripting (XSS)

phpmyfaq/phpmyfaq is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to a lack of html sanitization in the answer parameter which allows an attacker to inject and execute arbitrary JavaScript into the browser...

CVE-2023-2277

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and...

Cross site request forgery (csrf)

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and...

CVE-2023-2277 WP Directory Kit <= 1.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting via wdk_resultitem

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and...

CVE-2023-28705

Openfind Mail2000 has insufficient filtering special characters of email content of its content filtering function. A remote attacker can exploit this vulnerability using phishing emails that contain malicious web pages injected with JavaScript. When users access the system and open the email, it...

CVE-2023-2414

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcitasavesettingscallback function in versions up to, and including, 4.4.6. This makes it possible for authenticated...

CVE-2023-2414

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcitasavesettingscallback function in versions up to, and including, 4.4.6. This makes it possible for authenticated...