CVE-2024-52300

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin...

CVE-2024-52300 macro-pdfviewer has a XSS through the width parameter

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin...

CVE-2024-52300

The CVE-2024-52300 issue affects the XWiki macro-pdfviewer (PDF Viewer Macro) that uses Mozilla pdf.js. The width parameter is not properly escaped, enabling cross-site scripting (XSS) when an admin can edit a page, potentially impacting confidentiality, integrity, and availability of the entire ...

CVE-2024-52300 macro-pdfviewer has a XSS through the width parameter

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin...

CVE-2024-52300 macro-pdfviewer has a XSS through the width parameter

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. The width parameter of the PDF viewer macro isn't properly escaped, allowing XSS for any user who can edit a page. XSS can impact the confidentiality, integrity and availability of the whole XWiki installation when an admin...

CVE-2024-11130 ZZCMS msg.php cross site scripting

A vulnerability was found in ZZCMS up to 2023. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/msg.php. The manipulation of the argument keyword leads to cross site scripting. The attack may be launched remotely. The exploit has been...

CVE-2024-51747

Kanboard (Kanban project management software) contains a vulnerability where an authenticated admin can abuse the path field in the project_has_files SQLite DB to upload a modified sqlite.db, enabling path traversal to reference arbitrary files. When a project page is accessed after the modified ...

Moodle admin presets export tool includes some secrets that should not be exported

A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party...

GHSA-VPQ5-56JJ-VF2M Moodle admin presets export tool includes some secrets that should not be exported

A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally being leaked if the presets are shared with a third party...

CVE-2024-50966

dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery CSRF via the component /admin/doAdminAction.php?act=addAdmin...

CVE-2024-10027 WP Booking Calendar < 10.6.3 - Admin+ Stored XSS

The WP Booking Calendar WordPress plugin before 10.6.3 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setu...

CVE-2024-10027 WP Booking Calendar < 10.6.3 - Admin+ Stored XSS

The WP Booking Calendar WordPress plugin before 10.6.3 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setu...

CVE-2024-9934

Summary: CVE-2024-9934 affects the WordPress plugin Wp-ImageZoom ≤ 1.1.0. The issue is a Reflected Cross-Site Scripting caused by not sanitising/escaping certain parameters before echoing them in a page, potentially exploitable against high-privilege users (e.g., admin). Root cause: insufficient ...

CVE-2024-9934 Wp-ImageZoom <= 1.1.0 - Reflected XSS

The Wp-ImageZoom WordPress plugin through 1.1.0 does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-29119 Unauthorized SQLite Injection

Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/dbstore.php...

CVE-2024-9883 Pods < 3.2.7.1 - Admin+ Stored XSS

The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-51380

Stored Cross-Site Scripting XSS vulnerability discovered in the Properties Component of JATOS v3.9.3. This flaw allows an attacker to inject malicious JavaScript into the properties section of a study, specifically within the UUID field. When an admin user accesses the study's properties, the...

GO-2024-3240 Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

Grafana org admin can delete pending invites in different org in github.com/grafana/grafana...

CVE-2024-37440

Missing Authorization vulnerability in Andy Moyle Church Admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through 4.4.4...

CVE-2024-51065

Phpgurukul Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in admin/index.php via the the username parameter...