11 matches found
CVE-2025-50862
The Lotus Cars Android app com.lotus.carsdomestic.intl 1.2.8 has allowBackup=true set in its manifest, allowing data exfiltration via ADB backup on rooted or debug-enabled devices. This presents a risk of user data exposure...
CVE-2024-50576
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest...
The vulnerability of the App Manifest component of the JetBrains YouTrack software environment allows a hacker to perform cross-site scripting attacks.
The vulnerability of the App Manifest component in the JetBrains YouTrack project management and task management software is related to the lack of protective measures for the website structure. Exploiting this vulnerability allows attackers to perform cross-site scripting attacks...
CVE-2024-50576
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest...
CVE-2024-50576
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest...
CVE-2024-50576
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest...
CVE-2024-50576
JetBrains YouTrack is affected: prior to 2024.3.47707, a stored cross-site scripting (XSS) vulnerability could be triggered via the vendor URL in the App manifest. Exploitation details beyond the description are not provided in the connected documents. Remediation would be upgrading to 2024.3.477...
CVE-2024-50576
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest...
(Pwn2Own) Microsoft Teams Cross-Site Scripting Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Teams. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of...
CVE-2023-33293
An issue was discovered in KaiOS 3.0 and 3.1. The binary /system/kaios/api-daemon exposes a local web server on .localhost with subdomains for each installed applications, e.g., myapp.localhost. An attacker can make fetch requests to api-deamon to determine if a given app is installed and read th...
UBUNTU-CVE-2018-6083
Failure to disallow PWA installation from CSP sandboxed pages in AppManifest in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to access privileged APIs via a crafted HTML page...