Stored Cross-Site Scripting (XSS)

silverstripe/framework is vulnerable to cross-site scriptingXSS attacks. The library does not properly sanitize user inputs through links and iframes, allowing a remote authenticated attacker to inject and execute malicious javascript via XMLHttpRequest XHR...

GHSA-RPPC-655V-7J3C Stored XSS in link tags added via XHR in SilverStripe Framework

SilverStripe Framework 4.x prior to 4.10.9 is vulnerable to cross-site scripting inside the href attribute of an HTML hyperlink, which can be added to website content via XMLHttpRequest XHR by an authenticated CMS user...

Stored XSS in link tags added via XHR in SilverStripe Framework

SilverStripe Framework 4.x prior to 4.10.9 is vulnerable to cross-site scripting inside the href attribute of an HTML hyperlink, which can be added to website content via XMLHttpRequest XHR by an authenticated CMS user...

CVE-2022-28803

In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest XHR...

CVE-2022-28803

In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest XHR...

CVE-2022-28803

In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest XHR...

Cross site scripting

In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest XHR...

CVE-2022-28803

In SilverStripe Framework through 2022-04-07, Stored XSS can occur in javascript link tags added via XMLHttpRequest XHR...

CVE-2022-28803

CVE-2022-28803 concerns the SilverStripe Framework (through 2022-04-07) where a Stored XSS vulnerability can occur in javascript link tags added via XMLHttpRequest (XHR). The issue is triggered by content added to the page that includes a javascript: link tag, enabling script execution in the con...

Import CSV Files <= 1.0 - Reflected Cross-Site Scripting

The plugin does not sanitise and escaped imported data before outputting them back in a page, and is lacking CSRF check when performing such action as well, resulting in a Reflected Cross-Site Scripting history.pushState'', '', '/' function submitRequest var xhr = new XMLHttpRequest;...

Marval MSM 14.19.0.12476 Remote Code Execution

Exploit Title: Marval MSM v14.19.0.12476 - Remote Code Execution RCE Authenticated Date: 27/5/2022 Exploit Author: Momen Eldawakhly Cyber Guy Vendor Homepage: https://www.marvalnorthamerica.com/ Software Link: https://www.marvalnorthamerica.com/ Version: v14.19.0.12476 Tested on: Windows Detailed...

Fast Food Ordering System 1.0 Cross Site Scripting

Title: Fast Food Ordering System 1.0 Stored Cross-Site Scripting Author: Ashish Kumar Date: 05.31.2022 Vendor: https://www.sourcecodester.com/users/tips23 Software: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html Reference:...

PhantomJS Arbitrary File Read

PhantomJS through 2.1.1 has an arbitrary file read vulnerability, as demonstrated by an XMLHttpRequest for a file:// URI. The vulnerability exists in the page.open function of the webpage module, which loads a specified URL and calls a given callback. An attacker can supply a specially crafted HT...

Access to XMLHTTPRequest at <URL> from origin <URL>has been blocked by CORS policy

When navigating to load balanced VIP, 'Cannot Complete Your Request' is seen .HAR file will showAccess to XMLHTTPRequest at from origin has been blocked by CORS policy...

Post Snippets < 3.1.4 - CSRF to Stored Cross-Site Scripting

The plugin does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues function submitRequest var xhr = new XMLHttpRequest...

Mageia: Security Advisory (MGASA-2021-0554)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Online Project Time Management System 1.0 - SQLi (Authenticated)

Exploit Title: Online Project Time Management System 1.0 - SQLi Authenticated Date: 19/01/2022 Exploit Author: Felipe Alcantara Filiplain Vendor Homepage: https://www.sourcecodester.com/ Software Link:...

Simple Chatbot Application 1.0 - &#039;message&#039; Blind SQLi

Exploit Title: Simple Chatbot Application 1.0 - 'message' Blind SQLi Date: 18/01/2022 Exploit Author: Saud Alenazi Vendor Homepage: https://www.sourcecodester.com/ Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html Version: 1.0 Tested on:...

SalonERP 3.0.1 - &#039;sql&#039; SQL Injection (Authenticated)

Exploit Title: SalonERP 3.0.1 - 'sql' SQL Injection Authenticated Exploit Author: Betul Denizler Vendor Homepage: https://salonerp.sourceforge.io/ Software Link: https://sourceforge.net/projects/salonerp/files/latest/download Version: SalonERP v3.0.1 Tested on: Ubuntu Mate 20.04 Vulnerable...

CentOS: Security Advisory for firefox (CESA-2021:5014)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...