Argo CD's external URLs for Deployments can include JavaScript

Impact All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting XSS bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions up to and including admin. The scri...

Cross-Site Scripting (XSS)

brotkrueml/typo3-matomo-integration is vulnerable to cross-site scripting. The vulnerability exists in convertStringValue function in MatomoMethodCall.php because the content from PSR-14 events are not properly escaped which allows an attackers to inject and execute arbitrary javascript...

WordPress WP Simple Adsense Insertion plugin跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress WP Simple Adsense Insertion plugin prior to version 2.1 is vulnerable to cross-site request...

CVE-2022-31470

An XSS vulnerability in the indexmobilechangepass.hsp reset-password section of Axigen Mobile WebMail before 10.2.3.12 and 10.3.x before 10.3.3.47 allows attackers to run arbitrary Javascript code that, using an active end-user session for a logged-in user, can access and retrieve mailbox content...

CVE-2022-1940

A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issues...

CVE-2022-1940

A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issues...

CVE-2022-1940

Removed by vendor...

CVE-2022-1940

A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issues...

VulnCheck KEV: CVE-2021-41174

Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the...

WordPress plugin JivoChat Live Chat 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. The WordPress plugin is an application plugin. A cross-site scripting vulnerability exists in versions of the WordPress JivoChat Live Chat plugi...

Cross-Site Scripting (XSS)

@angular/core is vulnerable to cross-site scripting. The vulnerability exists in few methods due to not escaping the comment text which allows an attacker to inject and execute arbitrary javascript...

Possible cross-site scripting attack via unsanitized SVG files in FoF Upload

Impact If FoF Upload is configured to allow the uploading of SVG files image/svg+xml, navigating directly to an SVG file URI could execute arbitrary Javascript code decided by an attacker. This Javascript code could include the execution of HTTP web requests to Flarum, or any other web service...

CVE-2022-30999 Possible cross-site scripting attack via unsanitized SVG files in FoF Upload

FriendsofFlarum FoF Upload is an extension that handles file uploads intelligently for your forum. If FoF Upload prior to version 1.2.3 is configured to allow the uploading of SVG files 'image/svg+xml', navigating directly to an SVG file URI could execute arbitrary Javascript code decided by an...

GHSA-WMH9-X28J-C6GR Cross site scripting in publify

In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article...

GHSA-2PM7-Q8PC-XHVQ MantisBT HTML Injection vulnerability

An issue was discovered in MantisBT before 2.24.3. Improper escaping of a custom field's name allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript when attempting to update said custom field via bugactiongrouppage.php...

Magento 2 Community Edition XSS Vulnerability

A stored cross-site scripting XSS vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can execute arbitrary JavaScript code by providing arbitrary API endpoint that will not be chcecked by sale pickup event...

Cross-site Scripting (XSS)

publify is vulnerable to stored cross-site scripting attacks. The vulnerability exists in the resourceuploader.rb due to lack of input validation which allows an attacker to inject and execute arbitrary javascript...

CVE-2022-1093

The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed...

CVE-2022-1093

The WP Meta SEO WordPress plugin, prior to version 4.4.7, is vulnerable to a stored cross-site scripting (XSS) flaw in the breadcrumb separator. A high-privilege user (e.g., an administrator) can inject arbitrary JavaScript into pages where breadcrumbs are rendered, due to the separator not being...

Cross-Site Scripting (XSS)

moodle/moodle is vulnerable to stored cross-site scripting. The vulnerability exists in renderassignusersummary function in renderer.php because the identity fields in allocate marker form are not properly escaped which allows an attacker to inject and execute arbitrary javascript...