406 matches found
CVE-2025-49520 Event-driven-ansible: authenticated argument injection in git url in eda project creation
A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift...
TencentOS Server 3: python3 (TSSA-2022:0217)
The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0217 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...
Incomplete Filtering of Special Elements
Overview org.webjars.npm:angular-sanitize is an AngularJS module for sanitizing HTML Affected versions of this package are vulnerable to Incomplete Filtering of Special Elements through the ngSanitize module. An attacker can manipulate image sources and perform content spoofing by injecting...
CVE-2025-30087
Best Practical RT Request Tracker 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL...
CVE-2025-30087
Best Practical RT Request Tracker 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL...
CVE-2025-48377
DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to version 9.13.9, a specially crafted URL may be constructed which can inject an XSS payload that is triggered by using some module actions. Version 9.13.9 fixes the issue...
CVE-2024-27561
A Server-Side Request Forgery SSRF in the installUpdateThemePluginAction function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the installThemePlugin parameter...
CVE-2024-27563
A Server-Side Request Forgery SSRF in the getFileFromRepo function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter...
CVE-2023-35161
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as:...
CVE-2023-34203
In Progress OpenEdge OEM OpenEdge Management and OEE OpenEdge Explorer before 12.7, a remote user who has any OEM or OEE role could perform a URL injection attack to change identity or role membership, e.g., escalate to admin. This affects OpenEdge LTS before 11.7.16, 12.x before 12.2.12, and...
CVE-2022-4771
Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables...
CVE-2022-24342
In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF was possible...
CVE-2022-41204
An attacker can change the content of an SAP Commerce - versions 1905, 2005, 2105, 2011, 2205, login page through a manipulated URL. They can inject code that allows them to redirect submissions from the affected login form to their own server. This allows them to steal credentials and hijack...
CVE-2021-36668
URL injection in Driva inSync 6.9.0 for MacOS, allows attackers to force a visit to an arbitrary url via the port parameter to the Electron App...
CVE-2020-27627
JetBrains TeamCity before 2020.1.2 was vulnerable to URL injection...
CVE-2020-26884
RSA Archer 6.8 through 6.8.0.3 and 6.9 contains a URL injection vulnerability. An unauthenticated remote attacker could potentially exploit this vulnerability by tricking a victim application user into executing malicious JavaScript code in the context of the web application...
CVE-2010-2325
Cross-site scripting XSS vulnerability in the administrative console in IBM WebSphere Application Server WAS 7.0 before 7.0.0.11 on z/OS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."...
CVE-2010-4220
Cross-site scripting XSS vulnerability in the Integrated Solution Console in the Administrative Console component in IBM WebSphere Application Server WAS 7.0 before 7.0.0.13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related in part to "URL injection."...
CVE-2025-24909
Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. CWE-79 Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and...
CVE-2025-0757
Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. CWE-79 Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x...