CVE-2021-1873

An API issue in Accessibility TCC permissions was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina, Security Update 2021-003 Mojave. A malicious application may be able to unexpectedly leak a user's credentials from secure text...

Design/Logic Flaw

An API issue in Accessibility TCC permissions was addressed with improved state management. This issue is fixed in macOS Big Sur 11.3, Security Update 2021-002 Catalina, Security Update 2021-003 Mojave. A malicious application may be able to unexpectedly leak a user's credentials from secure text...

Cross site scripting

Multiple stored cross site scripting XSS vulnerabilities in the "Update Profile" module of Online Doctor Appointment System 1.0 allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads in the First Name, Last Name, and Address text fields...

House Rental and Property Listing 跨站脚本漏洞

House Rental and Property Listing is a system developed in PHP, JavaScript, Bootstrap, CSS and MySQL database. It allows users to easily find the right house or property for rent. A cross-site scripting vulnerability in House Rental and Property Listing 1.0 allows an authenticated attacker to...

Improper validation of URLs ('Cross-site Scripting') in Wagtail rich text fields

Impact When saving the contents of a rich text field in the admin interface, Wagtail does not apply server-side checks to ensure that link URLs use a valid protocol. A malicious user with access to the admin interface could thus craft a POST request to publish content with javascript: URLs...

GHSA-4HJQ-422Q-4VPX Mautic vulnerable to secret data exfiltration via symfony parameters

Impact Symfony parameters which is what Mautic transforms configuration parameters into can be used within other Symfony parameters by design. However, this also means that an admin who is normally not privy to certain parameters, such as database credentials, could expose them by leveraging any ...

Cross site scripting

The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields such as Email Subject, Email Recipient, etc when creating or editing a form, leading to an authenticated author+ stored cross-site scripting issue. This could allow medium privilege accounts such a...

Information Disclosure

mautic/core is vulnerable to information disclosure. The vulnerability exists due to configurations allowing other Symfony parameters to be exposed publicly in the free text fields...

Mautic 注入漏洞

Mautic is an open source marketing automation software. The software monitors and manages websites, sends emails, and manages customer resources. Mautic 3.3.2 suffers from an injection vulnerability that allows an authorized administrator user to expose confidential parameters by leveraging Symfo...

Foxit Reader Javascript Field fileSelect Use After Free Vulnerability

Summary A use after free vulnerability exists in the JavaScript engine of Foxit Software’s Foxit PDF Reader, version 10.1.0.37527. A specially crafted PDF document can trigger reuse of previously free memory which can lead to arbitrary code execution. An attacker needs to trick the user to open t...

WordPress BuddyPress plugin <= 6.3.0 - Excessive user capabilities in possible rich text fields vulnerability

Excessive user capabilities in possible rich text fields vulnerability found in WordPress BuddyPress plugin versions = 6.3.0. Solution Update the WordPress BuddyPress plugin to the latest available version at least 6.4.0 - Maintenance and Security Release...

CVE-2020-23983

Michael-design iChat Realtime PHP Live Support System 1.6 has persistent Cross-site Scripting via chat,text-filed tags...

CVE-2020-11010

In Tortoise ORM before versions 0.15.23 and 0.16.6, various forms of SQL injection have been found for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL are only affected when filtering with contains, startswith, or endswith filters and their case-insensitive...

SQL injection in Tortoise ORM

Impact Various forms of SQL injection has been found, for MySQL and when filtering or doing mass-updates on char/text fields. SQLite & PostgreSQL was only affected when filtering with contains, startswith or endswith filters and their case-insensitive counterparts Patches Please upgrade to 0.15.2...

CVE-2020-8846

This vulnerability allows remote atackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.6.0.25114. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the...

Existing Values Autocomplete Widget - Critical - Access bypass - SA-CONTRIB-2019-060

This module provides an autocomplete widget for text fields that suggests all existing previously entered values for that field. The module doesn't sufficiently check for proper access permission before returning autocomplete results. This vulnerability is mitigated by the fact that an attacker...

CVE-2018-17866

Multiple cross-site scripting XSS vulnerabilities in includes/core/um-actions-login.php in the "Ultimate Member - User Profile & Membership" plugin before 2.0.28 for WordPress allow remote attackers to inject arbitrary web script or HTML via the "Primary button Text" or "Second button text" field...

WordPress Techotronic all-in-one-favicon plugin cross-site scripting vulnerability

WordPress is the WordPress Software Foundation's suite of blogging platforms developed using the PHP language, which supports personal blog sites on servers running PHP and MySQL.Techotronic all-in-one-favicon aka All In One Favicon is one of the plugins used to add favicon tags to a website. A...

CVE-2017-7113

An issue was discovered in certain Apple products. iOS before 11.1 is affected. The issue involves the "UIKit" component. It allows attackers to bypass intended read restrictions for secure text fields via vectors involving a focus-change event...

dolibarr HTML Injection

Title: HTML Injection in dolibarr Author: Sergio Galán - @NaxoneZ Date: Dec 24,2015 Vendor Homepage: http://www.dolibarr.es/ Vulnerable version: More Info =======https://github.com/Dolibarr/dolibarr/issues/4291 Fixed =======...