CVE-2024-26121 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...

CVE-2024-36142 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...

CVE-2024-26086 Adobe Experience Manager | Cross-site Scripting (Reflected XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browse...

Carbon Forum 5.9.0 Cross Site Scripting

Exploit Title: Persistent XSS in Carbon Forum 5.9.0 Stored Date: 06/12/2024 Exploit Author: Chokri Hammedi Vendor Homepage: https://www.94cb.com/ Software Link: https://github.com/lincanbin/Carbon-Forum Version: 5.9.0 Tested on: Windows XP CVE: N/A Vulnerability Details A persistent stored XSS...

CVE-2024-3850

Affected product: Uniview NVR301-04S2-P4. Vulnerability: reflected cross-site scripting (XSS) via the PATH of LAPI. Root cause: improper neutralization of input during web page generation (CWE-79), with XSS possible on pages under /LAPI/. Some sources note authentication is required; others indic...

CVE-2024-3402 Stored XSS vulnerability in gaizhenbiao/chuanhuchatgpt

A stored Cross-Site Scripting XSS vulnerability existed in version 20240121 of gaizhenbiao/chuanhuchatgpt due to inadequate sanitization and validation of model output data. Despite user-input validation efforts, the application fails to properly sanitize or validate the output from the model,...

CVE-2024-4812

The CVE-2024-4812 entries describe a stored cross-site scripting (XSS) vulnerability in the Katello plugin for Foreman, where malicious JavaScript can be saved in a user Description field and executed when loading pages such as Host Collections. Root cause: insufficient input sanitization of the ...

Cross-site Scripting (XSS)

org.opencms:opencms-core is vulnerable to Cross-site Scripting XSS. The vulnerability is due to insufficient input validation in the "title" field, allowing users with sufficient privileges to insert and execute malicious JavaScript code through the admin panel...

CVE-2024-5520

OpenCMS 16 by Alkacon has two stored Cross-Site Scripting vulnerabilities affecting the title field that let users with sufficient privileges create/modify pages and execute malicious JavaScript when pages are viewed. The issue arises from insufficient input validation in the title field. Several...

CVE-2024-5520 Cross-Site Scripting stored in Alkacon OpenCMS

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the “title” field...

CVE-2023-49574

A vulnerability has been discovered in VX Search Enterprise affecting version 10.2.14 that could allow an attacker to execute persistent XSS through /addjob in jobname. This vulnerability could allow an attacker to store malicious JavaScript payloads on the system to be triggered when the page...

CVE-2023-49573

A vulnerability has been discovered in VX Search Enterprise affecting version 10.2.14 that could allow an attacker to execute persistent XSS through /addcommandaction in actionvalue. This vulnerability could allow an attacker to store malicious JavaScript payloads on the system to be triggered wh...

CVE-2023-49575

CVE-2023-49575 affects VX Search Enterprise (v10.2.14) and related Flexense products (Sync Breeze Enterprise Server 10.4.18, Disk Pulse Enterprise 10.4.18). A persistent XSS vulnerability exists via the /setup_smtp API endpoints, specifically in smtp_server, smtp_user, smtp_password, and smtp_ema...

CVE-2023-49573 XSS vulnerability in VX Search Enterprise

A vulnerability has been discovered in VX Search Enterprise affecting version 10.2.14 that could allow an attacker to execute persistent XSS through /addcommandaction in actionvalue. This vulnerability could allow an attacker to store malicious JavaScript payloads on the system to be triggered wh...

CVE-2023-49572

CVE-2023-49572 corresponds to a persistent XSS vulnerability in VX Search Enterprise (v10.2.14) and Disk Pulse Enterprise (v10.4.18) exploitable via /setup_odbc parameters odbc_data_source, odbc_user and odbc_password. The issue allows an attacker to store and trigger malicious JavaScript payload...

SVGMagic <= 1.1 - Stored XSS via SVG Upload

Description The plugin does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks. PoC 1. Create a SVG file with the malicious payload within it; Example SVG file:...

CVE-2024-34710

CVE-2024-34710 affects Wiki.js (Node.js-based wiki app). The issue is a Client-Side Template Injection that enables an attacker to inject malicious JavaScript into page content, triggering when a victim loads the page containing the payload. Root cause: improper sanitization via an invalid HTML t...

CVE-2024-34710 Wiki.js Stored XSS through Client Side Template Injection

Wiki.js is al wiki app built on Node.js. Client side template injection was discovered, that could allow an attacker to inject malicious JavaScript into the content section of pages that would execute once a victim loads the page that contains the payload. This was possible through the injection ...

CVE-2024-32733

Due to missing input validation and output encoding of untrusted data, SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject malicious JavaScript code into the dynamically crafted web page. On successful exploitation the attacker can access or modify...

CVE-2024-33864

The CVE-2024-33864 entry covers a vulnerability in linqi prior to 1.4.0.1 on Windows that enables SSRF via Document template generation, including the use of remote images during process creation, file inclusion, and PDF document generation through malicious JavaScript. Affected component behavio...