Cross site scripting

IBM Rational Change 5.3 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the SUPPTEMPLATEFLAG parameter in a specially-crafted URL to execute script in a victim's Web browser within the security...

CVE-2022-37346

EC-CUBE plugin 'Product Image Bulk Upload Plugin' 1.0.0 and 4.1.0 contains an insufficient verification vulnerability when uploading files. Exploiting this vulnerability allows a remote unauthenticated attacker to upload arbitrary files other than image files. If a user with an administrative...

CVE-2022-40044

Centreon v20.10.18 was discovered to contain a cross-site scripting XSS vulnerability via the escname Escalation Name parameter at Configuration/Notifications/Escalations. This vulnerability allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload...

CVE-2022-39239 nefly-ipx subject to Server-Side Request Forgery and Stored Cross-Site Scripting via Cache Poisoning and Improper Host Validation

netlify-ipx is an on-Demand image optimization for Netlify using ipx. In versions prior to 1.2.3, an attacker can bypass the source image domain allowlist by sending specially crafted headers, causing the handler to load and return arbitrary images. Because the response is cached globally, this...

CVE-2022-40088

Simple College Website v1.0 was discovered to contain a reflected cross-site scripting XSS vulnerability via the component /collegewebsite/index.php?page=. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the page parameter...

CVE-2022-28980

Multiple cross-site scripting XSS vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter prefix...

CVE-2022-28980

Multiple cross-site scripting XSS vulnerabilities in Liferay Portal v7.4.3.4 and Liferay DXP v7.4 GA allows attackers to execute arbitrary web scripts or HTML via parameters with the filter prefix...

Mageia: Security Advisory (MGASA-2022-0339)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2022-19340 · Liferay · Liferay Dxp +1

Name of the Vulnerable Software and Affected Versions: Liferay Portal version 7.4.3.4 Liferay DXP version 7.4 GA Description: The issue allows attackers to execute arbitrary web scripts or HTML via parameters with the filter prefix. This enables the execution of malicious scripts, potentially...

CVE-2022-40027

SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting XSS vulnerability via the component newTask.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the shortName parameter...

CVE-2022-40027

SourceCodester Simple Task Managing System v1.0 was discovered to contain a cross-site scripting XSS vulnerability via the component newTask.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the shortName parameter...

CVE-2022-3255

CVE-2022-3255 is a cross-site scripting (XSS) issue affecting Pimcore. The vulnerability arises when an attacker can control a script executed in the victim’s browser, enabling the attacker to perform actions the user can, view and modify user data, and initiate interactions with other users that...

CVE-2022-3255 Cross-site Scripting (XSS) - Reflected in pimcore/pimcore

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify...

ruby-arr-pm 操作系统命令注入漏洞

ruby-arr-fpm is an RPM read/write library written in Ruby by the individual developer Jordan Sissel. It is intended to provide a way for fpm to read and write RPMs. A security vulnerability exists in ruby-arr-pm version 0.0.11 and earlier. An attacker could use this vulnerability to execute shell...

CVE-2022-38550

A stored cross-site scripting XSS vulnerability in the /weibo/list component of Jeesns v2.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

OPSWAT MetaDefender ICAP Server 跨站脚本漏洞

OPSWAT MetaDefender ICAP Server is an advanced threat protection software for network traffic from OPSWAT, USA. It is used to protect systems and users by examining every file transmitted over a network. A security vulnerability exists in OPSWAT MetaDefender ICAP Server versions prior to 4.13.0. ...

CVE-2022-30680

Adobe Experience Manager versions 6.5.13.0 and earlier is affected by a reflected Cross-Site Scripting XSS vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's...

EC-CUBE plugin "Product Image Bulk Upload Plugin" vulnerable to insufficient verification in uploading files

Overview EC-CUBE plugin "Product Image Bulk Upload Plugin", a plugin that enables to upload image files, provided by EC-CUBE CO.,LTD. contains an insufficient verification vulnerability when uploading files CWE-20. Exploiting this vulnerability allows a remote unauthenticated attacker to upload...

JVN#21213852: Multiple vulnerabilities in EC-CUBE

EC-CUBE provided by EC-CUBE CO.,LTD. contains multiple vulnerabilities listed below. Directory traversal vulnerability CWE-22 - CVE-2022-40199 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N| Base Score: 2.7 CVSS v2| AV:N/AC:L/Au:S/C:P/I:N/A:N| Base Score:...

EC-CUBE 跨站脚本漏洞

EC-CUBE is an open source e-commerce system from the Japanese company EC-CUBE. A security vulnerability exists in EC-CUBE versions 4.0.0 through 4.1.2, which stems from a DOM-based cross-site scripting vulnerability that could allow a remote attacker to execute arbitrary script on the...