CVE-2010-3260

oxf/xml/xerces/XercesSAXParserFactoryImpl.java in the xforms-server component in the XForms service in Orbeon Forms before 3.9 does not properly restrict DTDs in Ajax requests, which allows remote attackers to read arbitrary files or send HTTP requests to intranet servers via an entity declaratio...

Exploit for CVE-2025-32259

WP ULike ≤ 4.7.9.1 - Unauthenticated Content Spoof CVE-2025-3...

Exploit for CVE-2024-10673

🔥 Overview This script exploits CVE-2024-10673, a critica...

CVE-2024-33471

An issue in the Sensor Settings of AVTECH Room Alert 4E v4.4.0 allows attackers to gain access to SMTP credentials in plaintext via a crafted AJAX request. NOTE: This vulnerability only affects products that are no longer supported by the maintainer...

DEBIAN-CVE-2024-32493

An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request...

UBUNTU-CVE-2024-32493

An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request...

WordPress Plugin Slider Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which supports personal blog sites on PHP and MySQL servers.WordPress plugin is an...

WordPress Plugin Themeflection Numbers 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

Cross-Site Scripting (XSS)

github.com/mattermost/mattermost-server is vulnerable to Cross-Site Scripting XSS attacks. An attacker is able to send AJAX requests on behalf of the victim through OAuth flow completion endpoints via sharing a crafted link with a malicious state parameter...

CVE-2023-1421

A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter...

Cross site scripting

A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter...

CVE-2023-1421 Reflected XSS in OAuth flow completion endpoints

A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter...

SUSE CVE-2017-6929

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal...

Authorization

The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change Theme options by sending a crafted POST request...

Discy < 5.0 - Subscriber+ Broken Access Control to change settings

The theme lacks authorization checks then processing ajax requests to the discyupdateoptions action, allowing any logged in users with privileges as low as Subscriber, to change the theme options by sending a crafted POST request. PoC POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type:...

GHSA-5VPR-V24W-MMJJ Drupal cross site scripting vulnerability

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal...

Drupal cross site scripting vulnerability

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit. For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 in the Drupal...

Improper Input Validation in Jenkins

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation e.g. for API keys. The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations o...

Mattermost: Reflected XSS in OAuth complete endpoints

Reflected XSS vulnerabilities were discovered in several OAuth complete endpoints in Mattermost. These endpoints failed to sanitize the "redirectto" field in the "state" query parameter, allowing an attacker to execute malicious JavaScript code in the context of the user's browser. This could lea...

WP Dependency Installer < 4.3.1 - Subscriber+ Arbitrary Plugin Activation

The wp-dependency-installer library, used in the plugins does not have authorisation and CSRF checks in its dependencyinstaller AJAX action with the activate method, allowing any authenticated users, such as subscriber to activate arbitrary plugin installed on the blog. Furthermore, despite havin...