Smarty 跨站脚本漏洞

Smarty is a PHP-based template engine that facilitates the separation of representations HTML/CSS from application logic. A security vulnerability exists in Smarty versions prior to 3.1.47, and 4.x versions prior to 4.2.1, which stems from the discovery of a cross-site scripting vulnerability...

CVE-2022-36778

insert HTML / js code inside input how to get to the vulnerable input : Workers worker nickname inject in this input the code...

CVE-2022-36778

insert HTML / js code inside input how to get to the vulnerable input : Workers worker nickname inject in this input the code...

jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method

A Cross-site scripting XSS vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser...

PT-2022-23187 · Xwiki · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions 14.0-rc-1 through 14.4-rc-1 Description: The issue allows storing JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. For example, an attachment with name .jp...

PT-2022-24053 · Ftcms · Ftcms

Name of the Vulnerable Software and Affected Versions: ftcms version 2.1 Description: The issue allows an attacker to insert malicious JavaScript code into the web page, causing the user or administrator to trigger malicious code when accessing. This is a result of a XSS vulnerability in the...

CVE-2022-2941

The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the "Naming Conventions" section do not properly sanitize user input, nor escape it on output. This makes it possible...

Cross site scripting

The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the "Naming Conventions" section do not properly sanitize user input, nor escape it on output. This makes it possible...

CVE-2022-2941 WP-UserOnline <= 2.88.0 - Authenticated (Admin+) Stored Cross-Site Scripting

The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the "Naming Conventions" section do not properly sanitize user input, nor escape it on output. This makes it possible...

Crime Reporting System 跨站脚本漏洞

Crime Reporting System is an online crime reporting system by the individual developer Tedmar Enoria. A security vulnerability exists in the Crime Reporting System version 1.0 that could allow a remote attacker to introduce arbitrary Javascript by manipulating unprocessed POST parameters...

PT-2022-19583 · WordPress · Wp-Useronline

Name of the Vulnerable Software and Affected Versions: WP-UserOnline plugin for WordPress versions up to, and including 2.88.0 Description: The issue is due to the lack of proper sanitization and escaping of user input in the "Naming Conventions" section, allowing authenticated attackers with...

CVE-2022-39050

An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external...

CVE-2022-39050

An attacker who is logged into OTRS as an admin user may manipulate customer URL field to store JavaScript code to be run later by any other agent when clicking the customer URL link. Then the stored JavaScript is executed in the context of OTRS. The same issue applies for the usage of external...

CVE-2022-39824

Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak...

CVE-2022-39824

Server-side JavaScript injection in Appsmith through 1.7.14 allows remote attackers to execute arbitrary JavaScript code from the server via the currentItem property of the list widget, e.g., to perform DoS attacks or achieve an information leak...

CVE-2022-39824

CVE-2022-39824 (Appsmith) : The provided documents confirm a server-side JavaScript injection vulnerability in Appsmith up to version 1.7.14, exploitable via the currentItem property of the list widget. The underlying issue allows remote attackers to run arbitrary JavaScript on the server, leadin...

CVE-2022-38790

Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting XSS bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permission. The exposure appears in Weave GitOps Enterprise UI via a GitopsCluste...

CVE-2022-38790

Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting XSS bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permission. The exposure appears in Weave GitOps Enterprise UI via a GitopsCluste...

CVE-2022-36036

mdx-mermaid provides plug and play access to Mermaid in MDX. There is a potential for an arbitrary javascript injection in versions less than 1.3.0 and 2.0.0-rc1. Modify any mermaid code blocks with arbitrary code and it will execute when the component is loaded by MDXjs. This vulnerability was...

Code injection

mdx-mermaid provides plug and play access to Mermaid in MDX. There is a potential for an arbitrary javascript injection in versions less than 1.3.0 and 2.0.0-rc1. Modify any mermaid code blocks with arbitrary code and it will execute when the component is loaded by MDXjs. This vulnerability was...