Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Changes dialog. An attacker can execute arbitrary scripts in the context of another authenticated user's session by injecting malicious code into page titles or usernames, which is then triggered when...

CVE-2025-65012 Kirby CMS has cross-site scripting (XSS) in the changes dialog

Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate for display in the...

CVE-2025-65012

Kirby CMS 5.0.0–5.1.3 contains a cross-site scripting (XSS) vulnerability in the Changes dialog. An attacker with authenticated Panel user access can corrupt a page title or username with a malicious string, then modify related content fields; when another authenticated user opens the dialog, the...

CVE-2025-65012 Kirby CMS has cross-site scripting (XSS) in the changes dialog

Kirby is an open-source content management system. From versions 5.0.0 to 5.1.3, attackers could change the title of any page or the name of any user to a malicious string. Then they could modify any content field of the same model without saving, making the model a candidate for display in the...

GHSA-84HF-8GH5-575J Kirby CMS has cross-site scripting (XSS) in the changes dialog

TL;DR This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update page titles or usernames. The attack requires user interaction by another Panel user and cannot be automated. ---- Introductio...

Kirby CMS has cross-site scripting (XSS) in the changes dialog

TL;DR This vulnerability affects all Kirby 5 sites that might have potential attackers in the group of authenticated Panel users or that allow external visitors to update page titles or usernames. The attack requires user interaction by another Panel user and cannot be automated. ---- Introductio...

CVE-2025-32389 NamelessMC Vulnerable to SQL Injections in /user/messaging and /panel/users/reports Pages

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Prior to version 2.1.4, NamelessMC is vulnerable to SQL injection by providing an unexpected square bracket GET parameter syntax. Square bracket GET parameter syntax refers to the structure...

GHSA-JM9M-RQR3-WFMH Kirby has insufficient permission checks in the language settings

TL;DR This vulnerability affects all Kirby sites with enabled languages option that might have potential attackers in the group of authenticated Panel users. If you have disabled the languages and/or api option and don't call any methods in your code that cause a write access to languages languag...

Design/Logic Flaw

The blog-post creation functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 allows injection of JavaScript code in the shortcontent and fullcontent fields, leading to XSS attacks against admin panel users via posts/preview or posts/save...

CVE-2022-36433

The blog-post creation functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 allows injection of JavaScript code in the shortcontent and fullcontent fields, leading to XSS attacks against admin panel users via posts/preview or posts/save...

CVE-2022-36433

The CVE-2022-36433 entry concerns Amasty Blog Pro for Magento 2 (version 2.10.3) where the blog-post creation functionality permits JavaScript injection in the short_content and full_content fields, enabling XSS against admin users via posts/preview or posts/save. Root cause is unfiltered content...

Cross site scripting

The Preview functionality in the Amasty Blog Pro 2.10.3 plugin for Magento 2 uses eval unsafely. This allows attackers to perform Cross-site Scripting attacks on admin panel users by manipulating the generated preview application response...