Lucene search
+L

46 matches found

Prion
Prion
added 2022/05/04 9:15 a.m.18 views

Code injection

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...

4.3CVSS6AI score0.0125EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2022/05/04 8:30 a.m.26 views

CVE-2022-1555 DOM XSS in microweber ver 1.2.15 in microweber/microweber

DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/microweber prior to 1.2.16. inject arbitrary js code, deface website, steal cookie...

8.8CVSS7.4AI score0.0125EPSS
Exploits1References4
Huntr
Huntr
added 2022/02/12 12:13 p.m.62 views

Cross-site Scripting (XSS) - Reflected in gnuboard/gnuboard5

Description https://github.com/gnuboard/gnuboard5/blob/v5.4.22/mobile/shop/lg/mispwapurl.phpL7 has no filtering for the variable. So, Attackers can trigger Reflected XSS via $GET'LGDOID' Proof of Concept /mobile/shop/lg/mispwapurl.php?LGDOID=%3Cscript%3Ealert1%3C/script%3E Impact Attacker can...

3.6AI score
Exploits0
Huntr
Huntr
added 2021/12/25 7:53 a.m.44 views

Cross-site Scripting (XSS) - Stored in chatwoot/chatwoot

Title Stored XSS in customattributes Description Relying on frontend URI check without verifying it on the backend allows to inject arbitrary JS code. Steps to reproduce 1. 1. Create a custom attribute, set its type to Link 2. 2. Navigate to any conversation, click on the right sidebar. 3. 3...

4.3CVSS0.9AI score0.00856EPSS
Exploits1
0day.today
0day.today
added 2021/11/27 12:0 a.m.406 views

Bagisto 1.3.3 - Client-Side Template Injection Vulnerability

Exploit Title: Bagisto 1.3.3 - Client-Side Template Injection Exploit Author: Mohamed Abdellatif Jaber Vendor Homepage: https://bagisto.com/en/ Software Link: https://github.com/bagisto/bagisto Version: v1.3.3 Tested on: windows | chrome | firefox Exploit :. 1- register an account and login your...

7.1AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2021/10/25 12:0 a.m.25 views

EulerOS 2.0 SP3 : python-lxml (EulerOS-SA-2021-2610)

According to the versions of the python-lxml package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms argument...

6.1CVSS7.6AI score0.04002EPSS
Exploits1References2
Huntr
Huntr
added 2021/10/20 7:32 p.m.13 views

Cross-site Scripting (XSS) - Stored in rmuif/web

Description rmuif is vulnerable to XSS. It is possible to use tags in SVG content when uploading a profile picture. Proof of Concept SVG content: HTML alertdocument.domain; 1: Save the above content into an SVG file. 2: Access the settings page and upload this file as a profile picture. 3: Access...

0.6AI score
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2021/09/27 12:0 a.m.34 views

EulerOS 2.0 SP5 : python-lxml (EulerOS-SA-2021-2517)

According to the versions of the python-lxml package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms argument...

6.1CVSS7.6AI score0.04002EPSS
Exploits1References2
CNVD
CNVD
added 2021/09/01 12:0 a.m.41 views

ZEIT Next.js Cross-Site Scripting Vulnerability

ZEIT Next.js is an open source web application framework from ZEIT based on Vue.js, Node.js, Webpack and Babel.js. Next.js versions 10.0.0 to 11.0.0 have a cross-site scripting vulnerability that can be exploited by attackers to execute arbitrary js commands...

7.5CVSS3.6AI score0.01139EPSS
Exploits0References1
Mageia
Mageia
added 2021/06/13 9:32 p.m.45 views

Updated python-lxml packages fix a security vulnerability

An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

6.1CVSS3.5AI score0.04002EPSS
Exploits1References4
OSV
OSV
added 2021/06/13 9:32 p.m.13 views

MGASA-2021-0246 Updated python-lxml packages fix a security vulnerability

An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

6.1CVSS6.7AI score0.04002EPSS
Exploits1References5
NVD
NVD
added 2021/03/21 5:15 a.m.23 views

CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

6.1CVSS0.04002EPSS
Exploits1References10
OSV
OSV
added 2021/03/21 5:15 a.m.39 views

CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

6.1CVSS4AI score
Exploits0References10
UbuntuCve
UbuntuCve
added 2021/03/21 5:15 a.m.51 views

CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

6.1CVSS6.8AI score0.04002EPSS
Exploits1References7
Debian CVE
Debian CVE
added 2021/03/21 4:39 a.m.48 views

CVE-2021-28957

An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

6.1CVSS6.5AI score0.04002EPSS
Exploits1
Hacker One
Hacker One
added 2020/06/09 2:17 p.m.22 views

Shopify: xss on polaris.shopify.com/demo using postMessage

Description it's possible to run arbitrary js code using https://polaris.shopify.com/demo + postMessage following codes are from this file which formatted using prettier Demo component line 381 uses addEventListener to listen for message events line 401: js componentDidMount...

0.3AI score
Exploits0
NVD
NVD
added 2020/02/04 8:15 p.m.15 views

CVE-2020-8115

A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver = 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older version...

6.1CVSS6.4AI score0.07055EPSS
Exploits1References2
Prion
Prion
added 2020/02/04 8:15 p.m.19 views

Cross site scripting

A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver = 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older version...

4.3CVSS6.3AI score0.07055EPSS
Exploits1References2Affected Software1
UbuntuCve
UbuntuCve
added 2019/07/18 5:15 p.m.20 views

CVE-2019-1010261

Gitea 1.7.0 and earlier is affected by: Cross Site Scripting XSS. The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically...

6.1CVSS6.5AI score0.0084EPSS
Exploits0References2
Cvelist
Cvelist
added 2019/07/18 4:30 p.m.19 views

CVE-2019-1010261

Gitea 1.7.0 and earlier is affected by: Cross Site Scripting XSS. The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically...

6.2AI score0.0084EPSS
Exploits0References1
Rows per page
Query Builder