EC-CUBE 跨站脚本漏洞

EC-CUBE is an open source e-commerce system from the Japanese company EC-CUBE. A security vulnerability exists in EC-CUBE versions 4.0.0 through 4.1.2, which stems from a DOM-based cross-site scripting vulnerability that could allow a remote attacker to execute arbitrary script on the...

Movable Type plugin A-Form vulnerable to cross-site scripting

Overview Movable Type plugin A-Form provided by ARK-Web co., ltd. contains a cross-site scripting vulnerability CWE-79. hibiki moriyama of STNet, Incorporated reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact ...

CVE-2022-38256

TastyIgniter v3.5.0 was discovered to contain a cross-site scripting XSS vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

Command injection

PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability. Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products/versions are as...

CVE-2022-33941

CVE-2022-33941 : PowerCMS XMLRPC API from Alfasado Inc. contains a command injection vulnerability reachable via POST requests, allowing arbitrary Perl script execution and potentially arbitrary OS commands. Affected: PowerCMS 6.021 and earlier, 5.21 and earlier, 4.51 and earlier; developer notes...

CVE-2022-33941

PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability. Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products/versions are as...

PT-2022-23188 · Xwiki · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions 12.5-rc-1 through 13.10.5 XWiki Platform versions 12.5-rc-1 through 14.3 Description: The XWiki Platform Mentions UI allows storing Javascript or groovy scripts in a mention, macro anchor, or reference field. The store...

CVE-2020-19914

Cross Site Scripting XSS in xiunobbs 4.0.4 allows remote attackers to execute arbitrary web script or HTML via the attachment upload function...

Amazon Linux 2022 : redis6, redis6-devel (ALAS2022-2022-115)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-115 advisory. A flaw was found in the Redis database where Lua scripts can be manipulated to overcome ACL rules. This flaw allows an attacker with access to Redis to inject Lua code that executes the...

JVN#76024879: PowerCMS XMLRPC API vulnerable to command injection

PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability CWE-74. Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. According to the developer,...

PT-2022-23601 · Unknown · Picuploader

Name of the Vulnerable Software and Affected Versions: PicUploader version 2.6.3 Description: A cross-site scripting XSS issue was found in the /master/index.php component of PicUploader. This allows for potential malicious script execution. Recommendations: For PicUploader version 2.6.3, conside...

Toxssin - An XSS Exploitation Command-Line Interface And Payload Generator

toxssin is an open-source penetration testing tool that automates the process of exploiting Cross-Site Scripting XSS vulnerabilities. It consists of an https server that works as an interpreter for the traffic generated by the malicious JavaScript payload that powers this tool toxin.js. This...

CVE-2022-36527

Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the post title text field under the publish blog module...

CVE-2022-36527

Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the post title text field under the publish blog module...

CVE-2022-38078

Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and...

CVE-2022-38078

Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products and...

Movable Type XMLRPC API vulnerable to command injection

Overview Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability CWE-74. Sending a specially crafted message by POST method to Movable Type XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. According...

Exploit for Incorrect Authorization in Polkit_Project Polkit

XDR-LabSetup.sh Description This program is used in conjun...

Microsoft Windows Untrusted Script Execution Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing o...

CVE-2022-35133

A cross-site scripting XSS vulnerability in CherryTree v0.99.30 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field when creating a node...