17 matches found
CVE-2026-43938 YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger YAFNET.Core/Logger/DbLogger.cs captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column...
CVE-2026-43938 YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
YetAnotherForum.NET YAF.NET is a C ASP.NET forum. Prior to 4.0.5 and 3.2.12, the application's database logger YAFNET.Core/Logger/DbLogger.cs captures the incoming request's User-Agent header into a JObject, serializes it with JsonConvert, and stores the result in the EventLog.Description column...
CVE-2026-43938
Summary (supported): CVE-2026-43938 affects YetAnotherForum.NET (YAF.NET) prior to 4.0.5 and 3.2.12. The database logger captures the request’s User-Agent into a JSON object and stores it in EventLog.Description. When an admin views the EventLog, the code deserializes that JSON and interpolates t...
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
Description: Stored second-order Cross-Site Scripting XSS occurs when attacker-controlled input is persisted through one component of an application and later rendered, without proper sanitization or contextual output encoding, by a completely different component — often one that implicitly trust...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the User-Agent header being logged and later rendered in the admin event log interface without proper output encoding. An attacker can execute arbitrary JavaScript in an administrator's browser by submitting...
GHSA-33GV-FC78-QGF5 YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
Description: Stored second-order Cross-Site Scripting XSS occurs when attacker-controlled input is persisted through one component of an application and later rendered, without proper sanitization or contextual output encoding, by a completely different component — often one that implicitly trust...
CVE-2025-14029
The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxadmineventapproval function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via t...
PT-2026-3348
The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax admin event approval function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events vi...
CVE-2025-6670
A Cross-Site Request Forgery CSRF vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation...
CVE-2025-6670
A Cross-Site Request Forgery CSRF vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation...
CVE-2023-48653
Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery CSRF via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential...
CVE-2021-24510
The MF Gig Calendar WordPress plugin before 1.2 does not sanitise and escape the id GET parameter before outputting back in the admin dashboard when editing an Event, leading to a reflected Cross-Site Scripting issue...
Muslim Matrimonial Script Cross-Site Scripting Vulnerability (CNVD-2018-01242)
Muslim Matrimonial Script is a community matrimonial script for matrimonial websites by PHP Scripts Mall. A cross-site scripting vulnerability exists in PHP Scripts Mall Muslim Matrimonial Script. The vulnerability can be exploited to conduct cross-site scripting attacks via the admin/eventedit.p...
Muslim Matrimonial Script Cross-Site Scripting Vulnerability (CNVD-2018-01239)
Muslim Matrimonial Script is a community matrimonial script for matrimonial websites by PHP Scripts Mall. A cross-site scripting vulnerability exists in PHP Scripts Mall Muslim Matrimonial Script. The vulnerability can be exploited to conduct cross-site scripting attacks via the admin/eventadd.ph...
CVE-2017-17984
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/eventedit.php editid parameter...
CVE-2017-17988
PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/eventadd.php eventtitle parameter...
Wing FTP Server Admin /admin_event_list.html type Cross Site Scripting Vulnerability
WingFTPServer is a professional cross-platform FTP server , it has good speed , reliability and a friendly configuration interface . Wing FTP Server Admin /admineventlist.html type parameter handling has a cross-site scripting vulnerability that allows remote attackers to exploit the vulnerabilit...