Cross site scripting

Special characters of IGT search function in igt+ are not filtered in specific fields, which allow remote authenticated attackers can inject malicious JavaScript and carry out DOM-based XSS Cross-site scripting attacks...

Cross-site Scripting in lightning-server

This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller...

GHSA-GMCH-CM2P-9QW9 Cross-site Scripting in lightning-server

This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller...

Cross-site Request Forgery (CSRF)

forkcms is vulnerable to cross-site request forgery. An attacker is able to hijack the authentication of logged administrators by injecting malicious javascript via the frontend navigation...

CVE-2021-30172 Jun-He Technology Ltd. Quan-Fang-Wei-Tong-Xun system - Reflected XSS

Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS Cross-site scripting attacks, additionally access and manipulate customer’s...

CVE-2021-24293

In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call getcartitems via photocratiajax , after that the settingsshippingaddressname is able to inject malicious javascript...

Code injection

In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call getcartitems via photocratiajax , after that the settingsshippingaddressname is able to inject malicious javascript...

Cross-site scripting vulnerability in Vaadin flow

Vaadin flow is a software application. the Vaadin platform is a Java framework for building modern websites that look great, perform well and keep you and your users happy. A security vulnerability exists in vaadin:flow-server, which stems from a vulnerability that allows an attacker to execute...

vaadin-server 跨站脚本漏洞

Vaadin-server is a Vaadin open source application . A platform for rapid development of Web applications on the Java backend . A security vulnerability exists in vaadin-server versions 7.4.0 through 7.7.19, which can be exploited by an attacker to inject malicious JavaScript via an unspecified...

WordPress Photo Gallery 1.5.69 Cross Site Scripting

Researcher Name: ThuraMoeMyint Twitter: https://twitter.com/mgthuramoemyint Vendor Url: https://wordpress.org/plugins/photo-gallery/ "Photo Gallery by 10Web / Mobile-Friendly Image Gallery" photo-gallery Multiple RXSS The parameter bwgalbumbreadcrumb0 is able to inject malicious javascript code...

ManageEngine AssentExplorer < 6.8 Unauthenticated Stored XSS

A stored cross-site scripting XSS vulnerability exists in the XML processing logic of asset discovery. By sending a crafted HTTP POST request to /discoveryServlet/WsDiscoveryServlet, a remote, unauthenticated attacker can create an asset containing malicious JavaScript. When an administrator view...

ManageEngine ServiceDesk Plus < 11.2 Build 11200 Unauthenticated Stored XSS

A stored cross-site scripting XSS vulnerability exists in the XML processing logic of asset discovery. By sending a crafted HTTP POST request to /discoveryServlet/WsDiscoveryServlet, a remote, unauthenticated attacker can create an asset containing malicious JavaScript. When an administrator view...

Exploit for Cross-site Scripting in Seafile

CVE-2021-30146 Seafile 7.0.5 Persistent XSS Suggested descri...

CVE-2021-24162

In the Reponsive Menu free and Pro WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in...

Cross site request forgery (csrf)

Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into...

CVE-2021-24162 Responsive Menu < 4.0.4 - CSRF to Settings Update

In the Reponsive Menu free and Pro WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in...

WordPress 跨站请求伪造漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports personal blog sites on PHP and MySQL servers. Contact Form 7 Style WordPress plugin through 3.1.9 suffers from a cross-site request forgery vulnerability that ste...

Wiki.js 跨站脚本漏洞

Wiki.js is a suite of open source Wiki software from the Requarks.io team based on Node.js and written in JavaScript. Wiki.js before version 2.5.191 contains a cross-site scripting vulnerability that can be exploited by an attacker to execute malicious JavaScript while another user is viewing the...

Flo Forms < 1.0.36 - Authenticated Options Change to Stored XSS

The plugin was being actively exploited, allowing low privilege users to use the floimportformsoptions AJAX action to import new options and inject malicious JavaScript code in the backend...

研华 Advantech WebAccess/SCADA 跨站脚本漏洞

Advantech WebAccess/SCADA is a suite of SCADA software from Advantech based on a browser architecture. The software supports dynamic graphical displays and real-time data control, and provides the ability to remotely control and manage automation equipment. A cross-site scripting vulnerability...