HTML Injection in Folder Name

Description The folder name does not sanitize folder name and due to missing output encoding, HTML user-input is rendered in the webpage during folder deletion. Proof of Concept 1. Login to Teampass as any user. 2. Go to Folders tab. 3. Create a new folder with HTML tag in the Label. Example: HTM...

CVE-2023-33194 CraftCMS stored XSS in Quick Post widget error message

Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in...

Pixel＆tonic Craft CMS 跨站脚本漏洞

Pixel & tonic Craft CMS is a content management system CMS from the US-based Pixel & tonic, Inc. A security vulnerability exists in Pixel & tonic Craft CMS that stems from not filtering input and encoding output in Quick Post validation error messages, which would allow the delivery of loads with...

Music Gallery Site 1.0 SQL Injection Vulnerability

Music Gallery Site - SQL Injection on page musiclist.php and parameter cid is vulnerable, application url is ?page=musiclist&cid=?. Any remote attacker can access this page to exploit the vulnerbility. CVE Assigned: CVE-2023-0938 mitre.org nvd.nist.org Author Name: Muhammad Navaid Zafar Ansari...

Cross-site Scripting (XSS)

Overview serve-lite is an a lightweight http-server for static file-based web development Affected versions of this package are vulnerable to Cross-site Scripting XSS because when it detects a request to a directory, it renders a file listing of all of its contents with links that include the...

CVE-2022-44002

An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient output encoding of user-supplied data, the web application is vulnerable to cross-site scripting XSS at various locations...

CVE-2022-44002

An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient output encoding of user-supplied data, the web application is vulnerable to cross-site scripting XSS at various locations...

BACKCLICK 跨站脚本漏洞

BACKCLICK is a marketing software from BACKCLICK Germany that helps organizations create, implement, measure, and run web-based email campaigns. A security vulnerability exists in BACKCLICK Professional 5.9.63, which stems from insufficient output coding of user-supplied data allowing an attacker...

PT-2022-27064 · Unknown · Backclick Professional

Name of the Vulnerable Software and Affected Versions: BACKCLICK Professional version 5.9.63 Description: An issue was discovered due to insufficient output encoding of user-supplied data, making the web application vulnerable to cross-site scripting XSS at various locations. Recommendations: For...

CVE-2022-39017

Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments...

CVE-2022-39017

Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments...

CVE-2022-39017 XSS in all comments fields in M-Files Hubshare

Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments...

CVE-2022-39017

CVE-2022-39017 affects M-Files Hubshare (pre-3.3.10.9). The vulnerability arises from improper input validation and output encoding in all comment fields, enabling authenticated attackers to inject cross-site scripting via specially crafted comments. Technical impact is cross-site scripting, with...

PT-2022-24673 · M Files · M-Files Hubshare

Name of the Vulnerable Software and Affected Versions: M-Files Hubshare versions prior to 3.3.10.9 Description: The issue is related to improper input validation and output encoding in comments fields, allowing authenticated attackers to introduce cross-site scripting attacks via specially crafte...

Reflected XSS via POST

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a differen...

The vulnerability of the software component apt-lib.pl in the Webmin hosting control panel allows a hacker to execute arbitrary code.

The vulnerability of the software/apt-lib.pl component in the Webmin hosting panel is related to the lack of mechanisms for encoding or shielding output data. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

GHSA-XVGX-668J-F67P Subrion CMS XSS

An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the vlanguageswitch parameter within multipart/form-data, which is reflected back within a user's browser without proper output encoding...

Subrion CMS XSS

An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the vlanguageswitch parameter within multipart/form-data, which is reflected back within a user's browser without proper output encoding...

JGraph draw.io 跨站脚本漏洞

JGraph draw.io is a configurable charting/whiteboard visualization application for JGraph. versions prior to JGraph draw.io 18.0.4 contain a cross-site scripting vulnerability that stems from the program's lack of data validation filtering of user-supplied data and output. An attacker could explo...

Improper Encoding or Escaping of Output

Gitea before 1.16.7 does not escape git fetch remote...