CVE-2024-9101

A reflected cross-site scripting XSS vulnerability in the 'Entry Chooser' of phpLDAPadmin version 1.2.1 through the latest version, 1.2.6.7 allows attackers to execute arbitrary JavaScript in the user's browser via the 'element' parameter, which is unsafely passed to the JavaScript 'eval' functio...

Cross Site Scripting

SimpleXLSX is vulnerable to Cross Site Scripting. The vulnerability is due to insufficient input validation and sanitization in the toHTMLEx method, allowing the execution of arbitrary JavaScript code when processing Excel XLSx files...

CVE-2024-53274 GHSL-2024-111: Reflected XSS in /home in habitica

Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The register function in home.vue containsa reflected XSS vulnerability due to an incorrect sanitization function. An attacker can specify a malicious redirectTo parameter...

MyBB Cross-Site Scripting Vulnerability (CNVD-2024-46255)

MyBB is a free and open source forum software, written in PHP, supporting MySQL, MariaDB, PostgreSQL and SQLite databases. A cross-site scripting vulnerability exists in MyBB. The vulnerability is related to the component installindex.php, which does not adequately clean up the websitename...

Zimbra Collaboration Server 10.0 < 10.0.9, 10.1.0 < 10.1.1 XSS

An issue was discovered in Zimbra Collaboration ZCS through 10.1. A reflected Cross-Site Scripting XSS issue exists through the Briefcase module due to improper sanitization of file content by the OnlyOffice formatter. This occurs when the victim opens a crafted URL pointing to a shared folder...

CVE-2024-49579

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests...

CVE-2024-49579

JetBrains YouTrack prior to 2024.3.47197 is affected by CVE-2024-49579 due to insufficient validation of the iframe plugin communication channel, allowing arbitrary JavaScript execution and unauthorized API requests. The issue stems from the iframe plugin; attacker-controlled payloads could be ex...

CVE-2024-49579

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests...

CVE-2024-49579

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests...

Mozilla Thunderbird < 131.0

The version of Thunderbird installed on the remote Windows host is prior to 131.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2024-50 advisory. - An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the...

Mozilla Firefox < 131.0

The version of Firefox installed on the remote Windows host is prior to 131.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2024-46 advisory. - An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the...

CVE-2024-6533

Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with...

Zimbra Collaboration Server 安全漏洞

Zimbra Collaboration Server ZCS is an email and collaboration solution from Zimbra. The solution provides email, contacts, calendar, file sharing, social networking, and other features. A security vulnerability exists in Zimbra Collaboration Server versions 9.0 and 10.0, which stems from the...

PT-2024-5686 · Netcat · Netcat Netshop Cms

Name of the Vulnerable Software and Affected Versions: Netcat Netshop CMS affected versions not specified Description: The issue is related to the promotion discount parameter in the Netcat Netshop CMS system, which is vulnerable to cross-site request forgery. This could allow a remote attacker t...

CVE-2024-35234

Discourse is an open-source discussion platform. Prior to version 3.2.3 on the stable branch and version 3.3.0.beta3 on the tests-passed branch, an attacker can execute arbitrary JavaScript on users’ browsers by posting a specific URL containing maliciously crafted meta tags. This issue only...

Cross-site Scripting in ZenUML

Summary Markdown-based comments in the ZenUML diagram syntax are susceptible to Cross-site Scripting XSS. Details The comment feature allows the user to attach small notes for reference. This feature allows the user to enter in their comment in markdown comment, allowing them to use common markdo...

GHSA-Q6XV-JM4V-349H Cross-site Scripting in ZenUML

Summary Markdown-based comments in the ZenUML diagram syntax are susceptible to Cross-site Scripting XSS. Details The comment feature allows the user to attach small notes for reference. This feature allows the user to enter in their comment in markdown comment, allowing them to use common markdo...

RLSA-2024:2888 Important: thunderbird security update

Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.11.0. Security Fixes: firefox: Arbitrary JavaScript execution in PDF.js CVE-2024-4367 firefox: IndexedDB files retained in private browsing mode CVE-2024-4767 firefox: Potential...

Mozilla: Arbitrary JavaScript execution in PDF.js

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context...

GHSA-4M3G-6R7G-JV4F Arbitrary JavaScript execution due to using outdated libraries

Summary gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution. PoC 1. Generate a pdf file with a malicious script in the fontmatrix. This will run alert‘XSS’. poc.pdf 2. Run the app. In this PoC, I've used the demo...