Cross-Site Scripting (XSS)

thorsten/phpmyfaq is vulnerable to Cross-Site Scripting XSS. The vulnerability exists in instances.php due to missing sanitization to escape newly added values which allows an attacker to inject and execute JavaScript...

CVE-2023-25928 IBM InfoSphere Information Server cross-site scripting

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 247646...

CVE-2023-0442 Loan Comparison < 1.5.2 - Reflected XSS via shortcode

The Loan Comparison WordPress plugin before 1.5.3 does not validate and escape some of its query parameters before outputting them back in a page/post via an embedded shortcode, which could allow an attacker to inject javascript into into the site via a crafted URL...

CVE-2023-0442

CVE-2023-0442 affects the WordPress plugin Loan Comparison up to version 1.5.2 (pre-1.5.3). Root cause: the plugin does not validate and escape certain query parameters before echoing them in pages/posts via the embedded shortcode, enabling reflected XSS through a crafted URL. Impact: attacker co...

PT-2023-16628 · WordPress · Japanized For Woocommerce

Name of the Vulnerable Software and Affected Versions: Japanized For WooCommerce plugin for WordPress versions up to, and including, 2.5.4 Description: The issue is related to Reflected Cross-Site Scripting via the tab parameter due to insufficient input sanitization and output escaping. This...

SUSE CVE-2008-2801

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly implement JAR signing, which allows remote attackers to execute arbitrary code via 1 injection of JavaScript into documents within a JAR archive or 2 a JAR archive that uses relative URLs to JavaScript files...

SUSE CVE-2012-3508

Cross-site scripting XSS vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email...

SUSE CVE-2017-5010

Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56.0.2924.87 for Android, resolved promises in an inappropriate context, which allowed a remote attacker to inject arbitrary scripts or HTML UXSS via a crafted HTML page...

SUSE CVE-2017-7840

JavaScript can be injected into an exported bookmarks file by placing JavaScript code into user-supplied tags in saved bookmarks. If the resulting exported HTML file is later opened in a browser this JavaScript will be executed. This could be used in social engineering and self-cross-site-scripti...

SUSE CVE-2017-15427

Insufficient policy enforcement in Omnibox in Google Chrome prior to 63.0.3239.84 allowed a socially engineered user to XSS themselves by dragging and dropping a javascript: URL into the URL bar...

SUSE CVE-2017-1000386

Jenkins Active Choices plugin version 1.5.3 and earlier allowed users with Job/Configure permission to provide arbitrary HTML to be shown on the 'Build With Parameters' page through the 'Active Choices Reactive Reference Parameter' type. This could include, for example, arbitrary JavaScript. Acti...

SUSE CVE-2018-5158

The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR 52.8 and Firefox 60...

SUSE CVE-2021-21442

In the project create screen it's possible to inject malicious JS code to the certain fields. The code might be executed in the Reporting screen. This issue affects: OTRS AG Time Accounting: 7.0.x versions prior to 7.0.19...

SUSE CVE-2022-39050

An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external...

SUSE CVE-2023-23942

The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as strong, em and head lines in the UI of the desktop client. The lack of sanitisation...

JSA10459 - Pulse Connect Secure (PCS) meeting_testjava.cgi XSS Vulnerability (ZDI-10-231)

Ivanti 4th of March 2024 - This isn't an active SA and any new edits are part of an article maintenance project. The CGI script /dana-na/meeting/meetingtestjava.cgi is vulnerable to a cross-site scripting XSS attack. The script tests the presence of a JVM client by loading an applet. An attacker...

Stored XSS

Description answer has a feature to customize the "Site Name" during installation or in the settings page , due to a bad sanitization it allows to put arbitrary html code which allows to execute javascript code. Everytime a user enter in the website, the xss is triggered. Injected payload...

Cross-site Scripting (XSS)

tinymighty/wiki-seo is vulnerable to Cross-Site Scripting XSS. The vulnerability exist in the Meta Property Tag Handler parameter of WikiSEO.body.php due to the lack of validation in the html elements when adding a user which allows an attacker to inject and execute malicious JavaScript...

CVE-2023-23475

IBM Infosphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 245423...

CVE-2022-21948

An Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in paste allows remote attackers to place Javascript into SVG files. This issue affects: openSUSE paste paste version b57b9f87e303a3db9465776e657378e96845493b and prior versions...