org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability

Impact The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter content was set to true. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scripting XSS by specifying an RSS...

org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability

Impact The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . As a consequence, any code relying on this "restricted" mode for security is...

CVE-2023-28341

Stored Cross site scripting XSS vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page...

CVE-2023-0546

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to...

CVE-2023-0546

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to...

CVE-2023-0546 FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field

The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to...

CVE-2023-0546

CVE-2023-0546 affects the Contact Form Plugin WordPress plugin (pre-4.3.25). The issue is stored XSS via improper sanitization/escaping of the srcdoc attribute in iframes within the plugin’s custom HTML field, enabling a logged-in user with Contributor+ privileges to inject arbitrary JavaScript t...

PT-2023-16352 · WordPress · Contact-Form-Plugin

Name of the Vulnerable Software and Affected Versions: Contact Form Plugin WordPress plugin versions prior to 4.3.25 Description: The issue allows a logged-in user with roles as low as contributor to inject arbitrary JavaScript into a form. This can be achieved by exploiting the improper...

UBUNTU-CVE-2023-24538

Templates do not properly consider backticks as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to...

Design/Logic Flaw

Templates do not properly consider backticks as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to...

Cross-Site Scripting (XSS)

pimcore/pimcore is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to a lack of user-input sanitization in the translationEditor.js, which allows an attacker to inject and execute arbitrary JavaScript into the system...

Cross-Site Scripting (XSS)

ckeditor4 is vulnerable to Cross-Site Scripting XSS attacks. A web page with missing Content Security Policy configuration, initializing the editor on an element other than as a base, allows an attacker to inject and execute malicious javascript on victim's browser...

LISTSERV 17 - Reflected Cross Site Scripting Vulnerability

Exploit Title: LISTSERV 17 - Reflected Cross Site Scripting XSS Google Dork: inurl:/scripts/wa.exe Exploit Author: Shaunt Der-Grigorian Vendor Homepage: https://www.lsoft.com/ Software Link: https://www.lsoft.com/download/listserv.asp Version: 17 Tested on: Windows Server 2019 CVE : CVE-2022-3919...

CVE-2023-24839

HGiga MailSherlock’s specific function has insufficient filtering for user input. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript, conducting a reflected XSS attack...

Cross site scripting

HGiga MailSherlock’s specific function has insufficient filtering for user input. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript, conducting a reflected XSS attack...

HGiga MailSherlock 跨站脚本漏洞

Hgiga MailSherlock is an enterprise email auditing system from China Henderson Technology Hgiga. A cross-site scripting vulnerability exists in HGiga MailSherlock version 4.5, which stems from insufficient filtering of user input by specific function. The vulnerability can be exploited to conduct...

CVE-2023-24839 HGiga MailSherlock - Reflected XSS

HGiga MailSherlock’s specific function has insufficient filtering for user input. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript, conducting a reflected XSS attack...

Cross-site Scripting (XSS)

pimcore/pimcore is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to scheduler.js because it does not sanitize the html in the time field, which allow an attacker to inject and execute arbitrary JavaScript into the browser...

PT-2023-20584 · Ibm · Ibm Websphere Application Server

Name of the Vulnerable Software and Affected Versions: IBM WebSphere Application Server version 9.0 Description: The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session...

FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field

The plugin does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the...