CVE-2024-46965

The DS allvideo.downloader.browser aka Fast Video Downloader: Browser application through 1.6-RC1 for Android allows an attacker to execute arbitrary JavaScript code via the allvideo.downloader.browser.DefaultBrowserActivity component...

CVE-2024-50601

Axigen Mail Server (up to 10.5.28) is affected by persistent and reflected XSS via the themeMode cookie and the _h URL parameter. The described impact includes arbitrary JavaScript execution, session hijacking, and data leakage, with a multi-stage attack potential. Remediation is available in fix...

PT-2024-35152 · Unknown · Stirling-Pdf

Name of the Vulnerable Software and Affected Versions: Stirling-PDF versions prior to 0.32.0 Description: The issue in Stirling-PDF allows any unauthenticated user to execute JavaScript code in the context of the user due to the Merge functionality taking untrusted user input file name and using ...

CVE-2024-52000 Reflected Cross-site Scripting exploit in Combodo iTop

Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting XSS exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic...

CVE-2024-46960

The ASD com.rocks.video.downloader aka HD Video Downloader All Format application through 7.0.129 for Android allows an attacker to execute arbitrary JavaScript code via the com.rocks.video.downloader.MainBrowserActivity component...

CVE-2024-46961

The Inshot com.downloader.privatebrowser aka Video Downloader - XDownloader application through 1.3.5 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.privatebrowser.activity.PrivateMainActivity component...

PT-2024-32301 · Unknown · Com.Rocks.Video.Downloader

Name of the Vulnerable Software and Affected Versions: com.rocks.video.downloader aka HD Video Downloader All Format versions 7.0.129 and earlier Description: The issue allows an attacker to execute arbitrary JavaScript code via the com.rocks.video.downloader.MainBrowserActivity component. This c...

CVE-2024-46960

The ASD com.rocks.video.downloader aka HD Video Downloader All Format application through 7.0.129 for Android allows an attacker to execute arbitrary JavaScript code via the com.rocks.video.downloader.MainBrowserActivity component...

Basecamp: Mutation Based Stored XSS on Trix Editor version latest (2.1.8)

A vulnerability was discovered in the Trix Editor version 2.1.8 where a mutation-based stored cross-site scripting XSS attack was possible. The vulnerability could be exploited by crafting a malicious payload that, when copied and pasted into the editor, would trigger the execution of arbitrary...

CVE-2024-48059

CVE-2024-48059 affects gaizhenbiao/chuanhuchatgpt up to version 20240802, vulnerable to stored XSS in WebSocket session transmissions. An attacker can inject malicious content into a WebSocket message, with execution of injected script in a victim’s browser when the session is accessed. The root ...

PT-2024-29708 · Unknown · Acr.Browser.Lightning +1

Name of the Vulnerable Software and Affected Versions: com.videodownload.browser.videodownloader aka AppTool-Browser-Video All Video Downloader version 20-30.05.24 Description: The issue allows an attacker to execute arbitrary JavaScript code via the acr.browser.lightning.DefaultBrowserActivity...

PT-2024-34154

Name of the Vulnerable Software and Affected Versions: I, Librarian versions prior to 5.11.2 Description: The issue arises from a broken logic in handling Supplemental Files, allowing unsafe files with Javascript to be executed within the application context. An attacker can exploit this by...

CVE-2024-31972

CVE-2024-31972 affects EnGenius ESR580 A8J-EMR5000 devices, enabling a remote attacker to perform stored XSS via the Wi‑Fi SSID input fields. The vulnerability leads to arbitrary JavaScript execution within the user’s admin session when loading the login page, specifically impacting the endpoints...

The vulnerability of the iframe plugin in the JetBrains YouTrack software environment allows a hacker to execute arbitrary JavaScript code and unauthorized API calls.

The vulnerability of the iframe plugin in the JetBrains YouTrack software environment relates to insufficient verification of the connection source. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code and make unauthorized API requests...

webkitgtk: arbitrary javascript code execution

A vulnerability was found in WebKit. This flaw allows a remote attacker to cause arbitrary javascript code execution...

CVE-2024-47878 Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the /extension/gdata/authorized endpoint includes the state GET parameter verbatim in a tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing...

PT-2025-17573

Name of the Vulnerable Software and Affected Versions Jmix versions 1.0.0 through 1.6.1 Jmix versions 2.0.0 through 2.3.4 Description The issue affects Jmix, a set of libraries and tools for Spring Boot data-centric application development. It allows manipulation of the input parameter, which...

CVE-2024-49579

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests...

CVE-2024-49579

JetBrains YouTrack prior to 2024.3.47197 is affected by CVE-2024-49579 due to insufficient validation of the iframe plugin communication channel, allowing arbitrary JavaScript execution and unauthorized API requests. The issue stems from the iframe plugin; attacker-controlled payloads could be ex...

CVE-2024-49579

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests...