Webmin 跨站脚本漏洞

Webmin is a set of Web-based system administration tools for Unix-like operating systems from the Webmin community. A security vulnerability exists in Webmin version 2.021, which stems from a cross-site scripting XSS vulnerability discovered in the HTTP tunneling feature when handling third-party...

Cross-site Scripting (XSS)

github.com/usememos/memos is vulnerable to stored Cross-site Scripting XSS. The vulnerability exists registerResourcePublicRoutes function at resource.go because the default-src in CSP is not properly configured which allows an attacker to bypass the CSP, inject and execute arbitrary javascript...

PT-2023-20343

Name of the Vulnerable Software and Affected Versions Esri ArcGIS Enterprise Sites versions 10.8.1 through 10.9 Description The issue is a Cross-site Scripting vulnerability that may allow a remote, authenticated attacker to create a crafted link which, when clicked by a victim, could potentially...

Esri Portal For ArcGIS Cross-Site Scripting Vulnerability

Esri Portal For ArcGIS is an Esri component that allows maps, scenes, applications, and other geographic information to be shared with others within an organization. A cross-site scripting vulnerability exists in Esri Portal For ArcGIS that can be exploited by an attacker to execute arbitrary...

Esri Portal For ArcGIS 跨站脚本漏洞

Esri Portal For ArcGIS is an Esri component that allows maps, scenes, applications, and other geographic information to be shared with others within an organization. A cross-site scripting vulnerability exists in Esri Portal For ArcGIS that can be exploited by an attacker to execute arbitrary...

CVE-2023-2507

CVE-2023-2507 affects CleverTap Cordova Plugin (version 2.6.2). The vulnerability arises from improper validation of data from deeplinks, allowing a remote attacker to execute JavaScript in apps opened via a crafted deeplink (XSS/remote code execution-like behavior described in sources). A patch ...

CVE-2023-30791

Plane version 0.7.1-dev is affected: an attacker can change a user’s avatar, enabling upload of files with an HTML extension that are interpreted as HTML and JavaScript. This is described across multiple sources as an insecure avatar-upload path leading to HTML/JS content. Remediation guidance in...

PT-2023-19912 · Clevertap · Clevertap Cordova Plugin

Name of the Vulnerable Software and Affected Versions: CleverTap Cordova Plugin version 2.6.2 Description: The CleverTap Cordova Plugin does not correctly validate the data coming from deeplinks before using them, allowing a remote attacker to execute JavaScript code in any application that is...

Plane 代码问题漏洞

Plane is an open source, self-hosted project planning tool from Plane Open Source. A security vulnerability exists in Plane version 0.7.1-dev, which stems from a vulnerability that allows an attacker to change the avatar of their profile, thereby allowing the upload of files with HTML extensions...

PT-2023-23658 · Apache +1 · Apache Jena +1

Name of the Vulnerable Software and Affected Versions: Apache Jena versions 3.7.0 through 4.8.0 Description: The issue is related to insufficient restrictions of called script functions in Apache Jena, allowing a remote user to execute javascript via a SPARQL query. Recommendations: For Apache Je...

Apache Jena 安全漏洞

Apache Jena is the United States Apache Apache Foundation of a Java Semantic Web framework. Used to build semantic Web and linked data applications. Apache Jena suffers from a code execution vulnerability that stems from insufficient restrictions on called script functions. An attacker can exploi...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper user-input sanitization in the external link redirections. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper user-input sanitization in the processes filter. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper user-input sanitization in the processes filter. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to...

CVE-2023-32693

Summary: CVE-2023-32693 affects the Decidim framework (Ruby on Rails). The vulnerability is a Cross-Site Scripting flaw in the external link feature, allowing a remote attacker to execute JavaScript in the context of a logged-in user and potentially influence user endorsements of proposals. Affec...

Stored XSS in description of theme

Description The attacker can execute JavaScript code through the theme's description. Proof of Concept Step 1 : - Choose any theme to upload i used a copy of vanila theme - Open theme folder and change description tag of config.xml file vanilla Bootstrap Vanilla theme 16/10/2017 LimeSurvey GmbH...

Cross-site Scripting (XSS)

khodakhah/nodcms is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validations in the contact forms address element, which allows an admin authenticated attacker to inject and execute arbitrary JavaScript into the browser...

Gibbon 跨站脚本漏洞

Gibbon is a school platform that solves real-world problems that educators encounter every day. A security vulnerability exists in Gibbon version 25.0.0 that stems from the presence of a cross-site scripting XSS vulnerability that allows an attacker to execute arbitrary Javascript code...

Incorrect Authorization to Stored XSS in Import User Role function

Description The application incorrectly checks user permissions, enabling the attacker to use the 'import file user roles' functionality, which contains a payload for executing JavaScript code, without requiring any specific privileges. Proof of Concept Step1: Even without the privilege to manage...

CVE-2023-34835

A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary JavaScript code via a vulnerable deletefile parameter...