CVE-2021-23358 Arbitrary Code Injection

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized...

OpenEMR 5.0.2 < 6.0.0.1 Multiple XSS Vulnerabilities

OpenEMR is prone to multiple cross-site scripting XSS vulnerabilities. SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

OpenEMR Cross-Site Scripting Vulnerability (CNVD-2021-22942)

OpenEMR is a medical practice management software that also supports electronic medical records EMR. A stored cross-site scripting vulnerability exists in OpenEMR versions 5.0.2 - 6.0.0. The vulnerability stems from not properly validating user input. An attacker can exploit the vulnerability to...

CVE-2021-25917

In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting XSS due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user...

Integer overflow

An integer overflow flaw was found in libtiff that exists in the tifgetimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability...

CVE-2020-28502

An arbitrary code injection vulnerability was found in nodejs-xmlhttprequest. For this vulnerability to occur, the connection must be initialized during the function call XMLHttpRequest.open to send requests synchronously using the parameter async=False. If the subsequent calls to xhr.send...

CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

CVE-2020-28502

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.send could result in arbitrary code being injected and run...

CVE-2020-28502

The CVE-2020-28502 issue affects the Node.js packages xmlhttprequest (pre-1.7.0) and xmlhttprequest-ssl (any version). Root cause: inputs sent via xhr.send when requests are synchronous (async=false) can be manipulated to inject and execute arbitrary code, due to how data flows into xhr.send. Pub...

Arbitrary Code Injection

Overview xmlhttprequest is a wrapper for the built-in http client to emulate the browser XMLHttpRequest object. Affected versions of this package are vulnerable to Arbitrary Code Injection. Provided requests are sent synchronously async=False on xhr.open, malicious user input flowing into xhr.sen...

PT-2021-7457

Name of the Vulnerable Software and Affected Versions underscore versions 1.3.2 through 1.12.1 underscore versions 1.13.0-0 through 1.13.0-2 Description The issue is related to the template function in the underscore library, which is used for working with arrays in JavaScript. It is caused by...

Cross site scripting

Stored cross-site scripting XSS in form field in robust.systems product Custom Global Variables v 1.0.5 allows a remote attacker to inject arbitrary code via the vars0name field...

Cross site scripting

Reflected cross-site scripting vulnerability XSS in the evoadm.php file in b2evolution cms version 6.11.6-stable allows remote attackers to inject arbitrary webscript or HTML code via the tab3 parameter...

BDTASK Multi-Store Inventory Management System Cross-Site Scripting Vulnerability

BDTASK Multi-Store Inventory Management System is a multi-store inventory management system from BDTASK Bangladesh. A security vulnerability exists in BDTASK Multi-Store Inventory Management System version 1.0, which originates from a customer name field that fails to properly filter special...

CVE-2021-20357

CVE-2021-20357 affects IBM Jazz Foundation products with a cross-site scripting vulnerability in the Web UI that could allow an attacker to embed arbitrary JavaScript and, in a trusted session, potentially disclose credentials. Connected sources corroborate a Web UI XSS across multiple IBM Jazz/F...

Cross site scripting

Stored XSS vulnerability in BDTASK Multi-Store Inventory Management System 1.0 allows a local admin to inject arbitrary code via the Customer Name Field...

CVE-2020-35582

A stored cross-site scripting XSS issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/post.php request with the posttitle parameter...

CVE-2020-35581

A stored cross-site scripting XSS issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the metatitle parameter...

Arbitrary Code Injection Over HTTP Traffic (CVE-2020-21176; CVE-2020-25042; CVE-2020-26248; CVE-2020-26712; CVE-2020-28994; CVE-2020-29284; CVE-2020-6308; CVE-2021-25912)

Arbitrary Code Injections Over HTTP Traffic...