CVE-2018-5175

A mechanism to bypass Content Security Policy CSP protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, a...

Design/Logic Flaw

If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. It will be executed if a user loads "chrome://browser/content/preferences/in-content/preferences.xul" directly in a tab and executes a search. This...

CVE-2018-5133

CVE-2018-5133 affects Firefox before 59, where a malicious local program can set the app.support.baseURL preference to HTML/script, which is not sanitized and can execute when loading chrome://browser/content/preferences/in-content/preferences.xul or when an EME CDM-disabled notification is shown...

CVE-2018-5175

A mechanism to bypass Content Security Policy CSP protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, a...

Netis-WF2419 HTML Injection Vulnerability

Netis-WF2419 is a router product. The Netis-WF2419 suffers from an HTML injection vulnerability that stems from a program not properly validating user-supplied input. An attacker could use this vulnerability to run HTML and script code in the context of an affected website to steal cookie-based...

Cross site scripting

A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters...

Mozilla Firefox Security Bypass Vulnerability (CNVD-2018-11922)

Mozilla Firefox is an open source web browser developed by the Mozilla Foundation in the United States. A security vulnerability exists in Mozilla Firefox versions prior to 60. A remote attacker could exploit the vulnerability to bypass content security policy protections used to restrict script...

Mozilla Firefox Design Vulnerability

Mozilla Firefox is an open source web browser developed by the Mozilla Foundation in the United States. A security vulnerability exists in the Live Bookmark page and PDF reader in versions of Mozilla Firefox prior to 60. A remote attacker can exploit this vulnerability by performing a social...

Design/Logic Flaw

Restify is a framework for building REST APIs. Restify =2.0.0 =4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers...

CVE-2017-16018

Restify vulnerability CVE-2017-16018 affects the restify framework (versions 2.0.0 through 4.0.4). The issue is a Cross‑Site Scripting (XSS) vulnerability that occurs when URL encoded script tags are used in a non-existent URL, allowing an attacker to run script in some browsers. The practical im...

CVE-2018-11552

There is a reflected XSS vulnerability in AXON PBX 2.02 via the "AXON-Auto-Dialer-Agents-Name" field. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker can execute arbitrary HTML and script code in a browser in the context of the vulnerable applicati...

Trihedral Engineering Limited VTScada ICSA-17-304-0 has multiple vulnerabilities

Trihedral VTScada formerly known as VTS is a SCADA system from Trihedral Engineering, Canada, based on a Windows platform with a Web interface option. Trihedral Engineering Limited VTScada has multiple vulnerabilities. An attacker could execute arbitrary script code in the affected application or...

Unspecified Cross-Site Scripting Vulnerability in SAP SAPUI5

SAP SAPUI5 is a UI technology that provides everything you need to build enterprise-class Web applications. SAP SAPUI5 suffers from an unspecified cross-site scripting vulnerability that stems from the program not properly validating user-supplied input. A remote attacker could use this...

WordPress plugin "Site Reviews" vulnerable to cross-site scripting

Overview The WordPress plugin "Site Reviews" provided by Gemini Labs contains a stored cross-site scripting vulnerability CWE-79. Keita Uchida of TDU Cryptography Lab reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership...

WordPress plugin "Email Subscribers & Newsletters" vulnerable to cross-site scripting

Overview The WordPress plugin "Email Subscribers & Newsletters" provided by Icegram contains a reflected cross-site scripting vulnerability CWE-79. Chris Liu reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact A...

JVN#16471686: WordPress plugin "Email Subscribers & Newsletters" vulnerable to cross-site scripting

The WordPress plugin "Email Subscribers & Newsletters" provided by Icegram contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on a logged in user's web browser. Solution Update the plugin Update the plugin according to the information provid...

Multiple Vulnerabilities in Jenkins Global Build Stats Plugin

Jenkins is an open source automation server.Jenkins provides a number of plug-ins that support building, deploying and automating projects.Global Build Stats is one of the plug-ins that allows to collect and display global build results statistics. The Jenkins Global Build Stats plugin has multip...

Multiple Cross-Site Scripting Vulnerabilities in Joomla! Core

Joomla! is an open source content management system CMS. The system provides RSS feeds , site search and other features . Joomla! Core is a Joomla! core. Multiple cross-site scripting vulnerabilities exist in Joomla! Core versions prior to 3.8.8, which stem from the program failing to properly...

WebSocket Live Chat - Cross-Site Scripting

WebSocket Live Chat - Cross-Site Scripting Exploit Title: WebSocket Live Chat - Cross-Site Scripting Date: 2018-05-22 Exploit Author: Alireza Norkazemi Vendor Homepage: https://codecanyon.net/item/websocket-live-chat-instant-messaging-php/16545798?srank=1 POC : 1 Create your account and click...

HPE UCMDB Configuration Manager Software Cross-Site Scripting Vulnerability

HPE UCMDB full name Universal CMDB is the United States Hewlett Packard Enterprise HPE company's set of resource management solutions. The solution provides from the bottom up including IT infrastructure auto-discovery, data modeling, service mapping definition and service impact analysis, etc...