CVE-2020-13644

An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wpajaxaccordionsajaximportjson action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accordio...

CVE-2020-13644

The WordPress Accordion plugin (versions

Page Builder: PageLayer - Drag and Drop website builder < 1.1.2 - CSRF leading to XSS

A flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection. PoC...

Cross site scripting

rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php...

cxf: reflected XSS in the services listing page

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting XSS attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploit...

cxf: reflected XSS in the services listing page

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting XSS attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploit...

cxf: reflected XSS in the services listing page

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting XSS attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploit...

Tecnick.com TCExam Cross-Site Scripting Vulnerability (CNVD-2020-32377)

Tecnick.com TCExam is a Web-based open source e-exam system from Tecnick.com, UK. The system is mainly used for online exams and more. A cross-site scripting vulnerability exists in Tecnick.com TCExam version 14.2.2, which can be exploited by remote attackers to inject malicious JavaScript code...

Cross site scripting

A reflected cross-site scripting XSS vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the PATHINFO to home.php...

CVE-2020-12679

A reflected cross-site scripting XSS vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the PATHINFO to home.php...

WordPress data-tables-generator-by-supsystic cross-site request forgery vulnerability

WordPress is a blogging platform developed by the WordPress Foundation using the PHP language. The platform supports personal blog sites on PHP and MySQL servers. data-tables-generator-by-supsystic is a data table generator plugin used in it. A security vulnerability exists in WordPress...

Design/Logic Flaw

lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript...

IBM Maximo Asset Management Cross-Site Scripting Vulnerability (CNVD-2020-25565)

IBM Maximo Asset Management is a comprehensive asset lifecycle and maintenance management solution from IBM USA. A cross-site scripting vulnerability exists in IBM Maximo Asset Management versions 7.6.1.0, 7.6.0.10, and 7.6.1.1. A remote attacker can exploit the vulnerability to inject arbitrary...

Siemens Climatix POL908 and POL909 Cross-Site Scripting Vulnerabilities

Siemens Climatix is a standardized and programmable control solution for air conditioning, refrigeration and district heating OEMs from Siemens, Germany, offering a comprehensive HVAC portfolio that can be expanded to meet specific needs.BACnet IP - POL908 is one of the BACnet IP communication...

Glassdoor: Reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/

Summary: There is a reflected XSS on https://www.glassdoor.com/employers/sem-dual-lp/ through the utmsource parameter. By using URL encoding I was able to bypass the WAF. Affected URL or select Asset from In-Scope: https://www.glassdoor.com/ Affected Parameter: utmsource Vulnerability Type: XSS...

Cross-site Scripting (XSS)

squirrelmail is vulnerable to cross-site scripting XSS. The vulnerability exists as an attacker could inject arbitrary Javascript or HTML content into SquirrelMail pages by tricking a user into visiting a carefully crafted URL...

IBM Rational DOORS Next Generation Cross-Site Scripting Vulnerability (CNVD-2020-22339)

IBM Rational DOORS Next Generation DNG/RRC is a suite of software for capturing, tracking, analyzing, and managing requirements from IBM, USA. The software provides a single platform for global team collaboration to manage requirements more efficiently, sharing unified users, servers and project...

IBM Rational Quality Manager Cross-Site Scripting Vulnerability (CNVD-2020-22338)

IBM Rational Quality Manager RQM is a collaborative, Web-based quality management solution from IBM. The program provides test planning and test evaluation management methods within the entire software development lifecycle, and the ability to share information, automation to accelerate the proje...

IBM Rational DOORS Next Generation Cross-Site Scripting Vulnerability (CNVD-2020-22340)

IBM Rational DOORS Next Generation DNG/RRC is a suite of software for capturing, tracking, analyzing, and managing requirements from IBM, USA. The software provides a single platform for global team collaboration to manage requirements more efficiently, sharing unified users, servers and project...

CVE-2020-11508

An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows logged-in users with minimal permissions to create or replace existing pages with a malicious page containing arbitrary JavaScript via the wpajaxcore37lpsavepage aka core37lpsavepage AJAX action...