FacturaScripts Cross-Site Scripting Vulnerability (CNVD-2022-76230)

FacturaScripts is an ERP software. cross-site scripting vulnerability exists in versions prior to FacturaScripts 2022.07, which can be exploited by attackers to execute arbitrary javascript code, steal user cookies, execute HTTP requests, obtain "same-origin " page content, etc...

WordPress Stafflist 3.1.2 Cross Site Scripting Vulnerability

Exploit Title: WordPress Plugin stafflist 3.1.2 - Reflected XSS Authenticated Exploit Author: Hassan Khan Yusufzai - Splint3r7 Vendor Homepage: https://wordpress.org/plugins/stafflist/ Version: 3.1.2 Tested on: Firefox Contact me: h at spidersilk.com Summary: A cross site scripting reflected...

Cross site scripting

nopCommerce 4.50.1 is vulnerable to Cross Site Scripting XSS via the "Text" parameter forums when creating a new post, which allows a remote attacker to execute arbitrary JavaScript code at client browser...

GitLab 13.5 < 14.2.6 / 14.3 < 14.3.4 / 14.4 < 14.4.1 (CVE-2021-39906)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf. CVE-2021-39906 Note that Nessus has not tested...

Royale Event Management System 1.0 Cross Site Scripting

Exploit Title: Royale Event Management System 1.0 - Cross-site Scripting Stored unauthenticated Date: 17/03/2022 Exploit Author: Mr Empy Software Link: https://www.sourcecodester.com/php/15225/church-management-software-free-download-full-version.html Version: 1.0 Tested on: Linux Title:...

Parsedown Class-Name Injection

Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script already running on the affected page executes the contents of any element with a specific class. This occurs because spaces are permitted in code bloc...

One Church Management System 1.0 Cross Site Scripting

Exploit Title: One Church Management System 1.0 - Multiple Cross-site Scripting Date: 17/03/2022 Exploit Author: Mr Empy Software Link: https://www.sourcecodester.com/php/15225/church-management-software-free-download-full-version.html Version: 1.0 Tested on: Linux Title: ================ One...

GHSA-HHQJ-CFJX-VJ25 Cross site scripting in reveal.js

The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can execute...

Cross site scripting in reveal.js

The onmessage event listener in /plugin/notes/speaker-view.html does not check the origin of postMessage before adding the content to the webpage. The vulnerable code allows any origin to postMessage on the browser window and feeds attacker's input to parts using which attacker can execute...

Cross-site Scripting (XSS) - Generic in librenms/librenms

Description Cross-Site Scripting vulnerability in LibreNMS v22.1.0 which allows attackers to execute arbitrary javascript code which affected Alerts module Alert Transport in Transport name field. Proof of Concept Endpoint: 1 POST http://HOST/ajaxform.php - Parameter name Payload: ' XSS will...

GHSA-VP4X-94FF-2CMV Cross-site scripting in forkcms

Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigationtitle" parameter and the "title" parameter in /private/en/pages/add...

Cross-site Scripting (XSS)

getgrav/grav is vulnerable to cross-site scripting XSS attacks. Insufficient checks in detectXss allow remote attackers to inject and execute arbitrary javascript code in the victim's browser...

Halo cross-site scripting vulnerability (CNVD-2022-08379)

Halo is a personal blogging system for individual developers. Halo suffers from a cross-site scripting vulnerability that originates in Halo, versions v1.0.0 through v1.4.17 latest are susceptible to cross-site scripting XSS stored in the title of a post, which can be exploited by an attacker to...

CVE-2022-22125

In Halo, versions v1.0.0 to v1.4.17 latest are vulnerable to Stored Cross-Site Scripting XSS in the article tag. An authenticated admin attacker can inject arbitrary javascript code that will execute on a victim’s server...

CVE-2022-22125 Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Tag

In Halo, versions v1.0.0 to v1.4.17 latest are vulnerable to Stored Cross-Site Scripting XSS in the article tag. An authenticated admin attacker can inject arbitrary javascript code that will execute on a victim’s server...

CVE-2022-22123 Halo CMS - Stored Cross-Site Scripting (XSS) in Article's Title

In Halo, versions v1.0.0 to v1.4.17 latest are vulnerable to Stored Cross-Site Scripting XSS in the article title. An authenticated attacker can inject arbitrary javascript code that will execute on a victim’s server...

CVE-2021-44649

Django CMS 3.7.3 does not validate the plugintype parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting XSS vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user...

Cross site scripting

Django CMS 3.7.3 does not validate the plugintype parameter while generating error messages for an invalid plugin type, resulting in a Cross Site Scripting XSS vulnerability. The vulnerability allows an attacker to execute arbitrary JavaScript code in the web browser of the affected user...

Cross-site Scripting (XSS) - Generic in bigbluebutton/bigbluebutton

Description Shared notes panel is vulnerable to XSS when rendering a new note, due to missing username sanitization. Proof of Concept 1. 1.Start a new web conference and share the link with other people 2. 2.A malicious user joins the conference with the following username: 3. 3.As soon as the...

Cross site scripting

A stored Cross Site Scripting XSS vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 only feature services may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary...