CVE-2019-10178

It was found that the Token Processing Service TPS did not properly sanitize the Token IDs from the "Activity" page, enabling a Stored Cross Site Scripting XSS vulnerability. An unauthenticated attacker could trick an authenticated victim into creating a specially crafted activity, which would...

Security Bulletin: IBM B2B Advanced Communications is vulnerable to cross-site scripting due to the vulnerability of 10x (CVE-2016-5892)

Summary IBM B2B Advanced Communications is vulnerable to cross-site scripting due to the vulnerability of 10x. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality, potentially leading to credentials disclosure within a trusted...

Security Bulletin: IBM Sterling B2B Integrator Is Vulnerable to Cross-site Scripting Due to the Vulnerability of 10x (CVE-2016-5892)

Summary IBM Sterling B2B Integrator is vulnerable to cross-site scripting due to the vulnerability of 10x. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality, potentially leading to credentials disclosure within a trusted...

Security Bulletin: Multiple Cross-Site Scripting Vulnerabilities Affect IBM Sterling B2B Integrator

Summary IBM Sterling B2B Integrator Standard Edition has addressed the cross-site scripting vulnerabilities Vulnerability Details CVEID: CVE-2019-4073 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrar...

Cross-Site Scripting (XSS)

erubis is vulnerable to cross-site scripting XSS. The single quote character ' is not validated and allows a remote attacker to inject and execute arbitrary Javascript in a user's browser via a template source and a malicious XML document...

Cross-Site Scripting (XSS)

Auth0-Lock is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary and execute arbitrary Javascript into a user's browser via the placeholder property. Customers using the additionalSignUpFields customization option are affected...

CVE-2020-8498

XSS exists in the shortcode functionality of the GistPress plugin before 3.0.2 for WordPress via the includes/class-gistpress.php id parameter. This allows an attacker with the WordPress Contributor role to execute arbitrary JavaScript code with the privileges of other users e.g., ones who have t...

Cross site scripting

XSS exists in the shortcode functionality of the GistPress plugin before 3.0.2 for WordPress via the includes/class-gistpress.php id parameter. This allows an attacker with the WordPress Contributor role to execute arbitrary JavaScript code with the privileges of other users e.g., ones who have t...

CVE-2020-8498

XSS exists in the shortcode functionality of the GistPress plugin before 3.0.2 for WordPress via the includes/class-gistpress.php id parameter. This allows an attacker with the WordPress Contributor role to execute arbitrary JavaScript code with the privileges of other users e.g., ones who have t...

Cross-Site Scripting (XSS)

tinymce is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a user's browser via the HTML comments and CDATA information...

Remote Code Execution

angular-expressions is vulnerable to remote code execution. An attacker to execute arbitrary Javascript expressions on the system when the function compile is called with user-controlled input...

Cross-Site Scripting

Overview Versions of @hapi/boom prior t 0.3.8 are vulnerable to Cross-Site Scripting XSS. The package fails to properly escape error messages, which may allow attackers to execute arbitrary JavaScript in a victim's browser. Recommendation Upgrade to version 0.3.8 or later. References - Snyk repor...

Cross-Site Scripting

Overview Versions of node-red prior to 0.20.8are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize the name field in new Flows, allowing attackers to execute arbitrary JavaScript in the victim's browser. Recommendation Upgrade to version 0.18.6 or later. References - HackerOne...

Cross-Site Scripting (XSS)

apacheairflow is vulnerable to cross-site scripting XSS. An administrative user is able to inject and execute arbitrary Javascript into a user's browser by modifying the state of an object when the application is running with the classic UI...

PYSEC-2020-162

In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected...

Code injection

In Apache Airflow before 1.10.5 when running with the "classic" UI, a malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. The new "RBAC" UI is unaffected...

CVE-2019-0219

A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI...

EUVD-2020-0969

A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI...

Cross site scripting

Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folderup.png IMG element not properly sanitizing user-inserted directory...

CVE-2020-5195

Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folderup.png IMG element not properly sanitizing user-inserted directory...