2176 matches found
Adobe Commerce Cross-Site Scripting Vulnerability (CNVD-2024-44532)
Adobe Commerce is the United States of America Odobie Adobe company's a business and brand-oriented global leader in digital commerce solutions. A cross-site scripting vulnerability exists in Adobe Commerce that can be exploited by an attacker to execute malicious JavaScript in a browser...
CVE-2024-43006
ZZCMS2023 contains a stored XSS in /user/ask_edit.php?action=add via the content parameter. When an attacker injects JavaScript in content and a user loads ask/show_{newsid}.html, the script runs in the user’s browser, potentially stealing cookies or session tokens. Affected component: ZZCMS2023,...
Adobe Commerce 跨站脚本漏洞
Adobe Commerce is the United States of America Odobie Adobe company's a business and brand-oriented global leader in digital commerce solutions. A cross-site scripting vulnerability exists in Adobe Commerce that can be exploited by an attacker to execute malicious JavaScript in a browser...
CVE-2024-33533
An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0, issue 1 of 2. A reflected cross-site scripting XSS vulnerability has been identified in the Zimbra webmail admin interface. This vulnerability occurs due to inadequate input validation of the packages parameter, allowing an...
CVE-2024-6892
Summary of CVE-2024-6892 (Journyx Reflected XSS) Affected product: Journyx (jtime) version 11.5.4. Root cause: Reflected cross-site scripting caused by unsanitized/reflected error_description parameter in the active directory login flow, which can be set via the URL and reflected in the page resp...
PT-2024-5620 · Unknown · Xwiki Platform
Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 14.10.21 XWiki Platform versions prior to 15.5.5 XWiki Platform versions prior to 15.10.6 XWiki Platform versions prior to 16.0.0 Description: The issue is related to the execution of malicious JavaScript code...
Tracks 安全漏洞
Tracks is an open source GTD-compatible web application built with Ruby on Rails by TracksApp. A security vulnerability exists in Tracks versions prior to 2.7.1. An attacker exploited the vulnerability to execute malicious JavaScript in a user's browser environment, which could lead to a credenti...
CVE-2024-3246
The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScrip...
CVE-2024-3246 LiteSpeed Cache <= 6.2.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScrip...
CVE-2024-3246 LiteSpeed Cache <= 6.2.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScrip...
CVE-2024-40626
Outline is an open source, collaborative document editor. A type confusion issue was found in ProseMirror’s rendering process that leads to a Stored Cross-Site Scripting XSS vulnerability in Outline. An authenticated user can create a document containing a malicious JavaScript payload. When other...
CVE-2024-1937
The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updateitem' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to...
CVE-2024-1937
The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updateitem' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to...
CVE-2024-1937
CVE-2024-1937 (Brizy – Page Builder for WordPress) affects Brizy up to version 2.4.44. The vulnerability is caused by a missing capability check in the update_item function, allowing authenticated attackers with contributor access and above to modify content of arbitrary published posts, includin...
PT-2024-24310 · Stormshield · Stormshield Network Security
Name of the Vulnerable Software and Affected Versions: Stormshield Network Security SNS versions 3.7.0 through 3.7.41 Stormshield Network Security SNS versions 3.10.0 through 3.11.29 Stormshield Network Security SNS versions 4.0 through 4.3.24 Stormshield Network Security SNS versions 4.4.0 throu...
Naver Whale Browser Security Vulnerability
Naver Whale Browser is a web browser from Naver, a South Korean company that supports user-defined interfaces. A security vulnerability exists in Naver Whale Browser versions prior to 3.26.244.21, which stems from improper cleanup when dealing with built-in extensions, allowing an attacker to...
PT-2024-28945 · Unknown · Whale Browser
Name of the Vulnerable Software and Affected Versions: Whale browser versions prior to 3.26.244.21 Description: The issue allows an attacker to execute malicious JavaScript due to improper sanitization when processing a built-in extension. Recommendations: For versions prior to 3.26.244.21, updat...
Polyfill.io Supply Chain Attack: Malicious JavaScript Injection Puts Over 100k Websites At Risk
Polyfill.io helps web developers achieve cross-browser compatibility by automatically managing necessary polyfills. By adding a script tag to their HTML, developers can ensure that features like JavaScript functions, HTML5 elements, and various APIs work across different browsers. Originally...
GHSA-3V33-3WMW-3785 yt-dlp has dependency on potentially malicious third-party code in Douyu extractors
Impact yt-dlp's DouyuTV and DouyuShow extractors used a cdn.bootcdn.net URL as a fallback for fetching a component of the crypto-js JavaScript library. When the Douyu extractor is used, yt-dlp extracts this JavaScript code and attempts to execute it externally using PhantomJS. bootcdn.net is owne...
CVE-2024-6229
A stored cross-site scripting XSS vulnerability exists in the 'Upload Knowledge' feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever an...