696 matches found
CI4MS: Blogs Posts Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Summary Vulnerability: Stored DOM XSS via Blog Post Content Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Blog Post Content in Blog Management Description The application fails to properly sanitize user-controlled input when creating or editing blog posts. An attacker...
GHSA-V897-C6VQ-6CR3 CI4MS: System Settings (Company Information) Full Platform Compromise & Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS
Summary Vulnerability: Stored DOM XSS via System Settings – Company Information Same-Page Attribute Breakout & Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized Company Information Configuration Fields with Immediate Same-Page Execution Description The application fails t...
CVE-2026-30082
Multiple stored cross-site scripting XSS vulnerabilities in the Edit feature of the Software Package List page of IngEstate Server v11.14.0 allow attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the About application, What's news, or Release note parameters...
cpp-httplib 环境问题漏洞
cpp-httplib is a C++ library developed by Yhirose, which includes servers and clients for HTTP/HTTPS communication. Versions of cpp-httplib prior to 0.40.0 contained environmental issues. This issue stems from the static file processing mechanism not properly handling the request body, which coul...
CVE-2024-51224
Multiple cross-site scripting XSS vulnerabilities in the component /admin/edit-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the vehiclename, modelnumber, regnumber, vehiclesubtype,...
CVE-2019-25637
X-NetStat Pro 5.63 contains a local buffer overflow vulnerability that allows a local attacker to execute arbitrary code by overwriting the EIP register via a 264-byte overflow. The attacker can inject shellcode into memory and use an egg hunter technique to locate and execute the payload when th...
CVE-2019-25633
CVE-2019-25633 affects AIDA64 Extreme 5.99.4900. A structured exception handling buffer overflow via the email preferences and report wizard interfaces allows a local attacker to execute arbitrary code by supplying crafted input. Specifically, payloads injected into the Display name field and via...
Nesote Inout Article Base CMS SQL注入漏洞
Nesote Inout Article Base CMS is a content management system developed by the Indian company Nesote, designed for building article publishing and content management websites. The Inout Article Base CMS has a SQL injection vulnerability. This vulnerability stems from SQL injection attacks, allowin...
CVE-2024-51226
A stored cross-site scripting XSS vulnerability in the component /admin/search-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Search parameter...
oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify
A Stored Cross-Site Scripting XSS vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification such as info.description, they can break out of the JSON context and execute arbitrary JavaScript when a user views the...
CVE-2026-32880 ChurchCRM is vulnerable to Stored XSS through JSON handling in SystemSettings.php
ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in SystemSettings.php, leading ...
CVE-2017-20219 Serviio PRO 1.8 DOM-based Cross-Site Scripting via mediabrowser
Serviio PRO 1.8 DLNA Media Streaming Server contains a DOM-based cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads. Attackers can craft URLs with malicious input that is read from document.location and passed to...
Exploit for Cross-site Scripting in Invoiceplane
CVE-2026-25594 — Stored XSS via Family Name in InvoicePlane 1...
PT-2026-25145
Name of the Vulnerable Software and Affected Versions thingino-firmware versions prior to commit e3f6a41 wpDiscuz versions prior to 7.6.47 Description thingino-firmware contains an unauthenticated operating system command injection issue in the WiFi captive portal CGI script. This allows remote...
📄 Easy Grade Pro 4.1 Malformed .EGP File Denial of Service
This Python script generates a malformed .EGP gradebook file designed to trigger a crash in Easy Grade Pro 4.1 by corrupting data at a specific offset within the file...
CVE-2018-25194
Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the username parameter. Attackers can send POST requests to the login/checklogin.php endpoint with crafted UNION-based SQL injection...
CVE-2019-25502 Simple Job Script Cross-Site Scripting via job_type_value Parameter
Simple Job Script contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the jobtypevalue parameter in the jobs endpoint. Attackers can craft requests with SVG payload injection to execute arbitrary JavaScript in victim...
PT-2026-22762
An issue was discovered in Nokia Impact before Mobile 23 FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a CSV file. Attackers can populate data fields that ma...
CVE-2023-31044
An issue was discovered in Nokia Impact before Mobile 23FP1. In Impact DM 19.11 onwards, a remote authenticated user, using the Add Campaign functionality, can inject a malicious payload within the Campaign Name. This data can be exported to a CSV file. Attackers can populate data fields that may...
Nokia Impact Mobile 安全漏洞
Nokia Impact Mobile is a mobile network device management and automation platform developed by Finnish company Nokia. Previous versions of Nokia Impact Mobile, including 23FP1, contained security vulnerabilities. These vulnerabilities stemmed from the Campaign Name parameter in the Add Campaign...