CVE-2019-9851 LibreLogo global-event script execution

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers...

CVE-2019-9850 Insufficient url validation allowing LibreLogo script execution

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on...

PT-2019-13887 · WordPress · Wp-Live-Chat-Support

Name of the Vulnerable Software and Affected Versions: wp-live-chat-support plugin versions prior to 8.0.27 Description: The issue is related to a security problem where an attacker can exploit the GDPR page to execute malicious scripts, potentially leading to unauthorized access or data theft...

PT-2019-7675 · WordPress · Wp-Live-Chat-Support

Name of the Vulnerable Software and Affected Versions: wp-live-chat-support plugin versions prior to 6.2.02 Description: The issue is related to a security problem where an attacker can execute malicious scripts. Recommendations: For versions prior to 6.2.02, update to version 6.2.02 or later to...

CVE-2019-14769

Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3 doesn't sufficiently filter output when displaying certain block labels created by administrators. An attacker could potentially craft a specialized label, then have an administrator execute scripting when administering a layout. This iss...

WebStudio Ultimate Loan Manager Cross-Site Scripting Vulnerability

Ultimate Loan Manager is an online management system that allows businesses to easily manage their borrowers, loans, repayments and collections while remaining affordable. WebStudio Ultimate Loan Manager suffers from a cross-site scripting vulnerability that can be exploited by an attacker to...

cPanel Cross-Site Scripting Vulnerability (CNVD-2019-26358)

cPanel is a set of Web-based automated colocation platforms from the American company cPanel. The platform is primarily used to automate the management of websites and servers. A cross-site scripting vulnerability exists in the WHM listips interface in versions prior to cPanel 68.0.27. The...

LibreOffice < 6.2.5 Multiple Vulnerabilities (Windows)

The version of LibreOffice installed on the remote Windows host is prior to 6.2.5. It is, therefore, affected by multiple vulnerabilities : - An arbitrary script execution vulnerability exists due to a flaw allowing event-based execution of python scripts within a document. Note, LibreLogo must b...

LibreOffice < 6.2.5 Multiple Vulnerabilities (macOS)

The version of LibreOffice installed on the remote macOS host is prior to 6.2.5. It is, therefore, affected by multiple vulnerabilities : - An arbitrary script execution vulnerability exists due to a flaw allowing event-based execution of python scripts within a document. Note, LibreLogo must be...

Central Dogma vulnerable to cross-site scripting

Overview Central Dogma provided by LINE Corporation contains a cross-site scripting vulnerability CWE-79. LINE Corporation reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and LINE Corporation coordinated under the Information Security Early Warning...

Design/Logic Flaw

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrar...

Command injection

s/sprm/s/dyn/PlayersetScriptFile in Sahi Pro 8.0.0 allows command execution. It allows one to run ".sah" scripts via Sahi Launcher. Also, one can create a new script with an editor. It is possible to execute commands on the server using the execute function...

CVE-2019-12578

A vulnerability in the London Trust Media Private Internet Access PIA VPN Client v82 for Linux could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The openvpnlauncher.64 binary is setuid root. This binary executes /opt/pia/openvpn-64/openvpn, passing the...

MiniCMS Cross-Site Scripting Vulnerability (CNVD-2019-23979)

MiniCMS is a content management system CMS designed for personal websites. A cross-site scripting vulnerability exists in the mc-admin/post-edit.php file in MiniCMS version 1.10. The vulnerability stems from the lack of proper validation of client-side data by the WEB application. An attacker can...

CVE-2019-1931

Multiple vulnerabilities in the RSS dashboard in the web-based management interface of Cisco Firepower Management Center FMC could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of an affected device. The...

PT-2019-2656 · Cisco · Cisco Firepower Management Center

Name of the Vulnerable Software and Affected Versions: Cisco Firepower Management Center affected versions not specified Description: The issue is related to insufficient validation of user-supplied input by the web-based management interface, which could allow an unauthenticated, remote attacker...

bootstrap: XSS in the affix configuration target property

A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting caused by improper validation of user-supplied input by the affix configuration target property. This flaw allows a remote attacker to execute a script in a victim's Web browser within the security context of the hostin...

Cisco Prime Service Catalog Input Validation Error Vulnerability

Cisco Prime Service Catalog PSC is a service catalog solution from Cisco that provides all IT services through a single portal. The solution supports automated ordering of a unified service catalog for compute, network, storage, and other data center resources. An input validation error...

CVE-2017-14395

Auth 2.0 Authorization Server of ForgeRock Access Management OpenAM 13.5.0-13.5.1 and Access Management AM 5.0.0-5.1.1 does not correctly validate redirecturi for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS...

Cross site scripting

Auth 2.0 Authorization Server of ForgeRock Access Management OpenAM 13.5.0-13.5.1 and Access Management AM 5.0.0-5.1.1 does not correctly validate redirecturi for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS...