Cross site scripting

Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folderup.png IMG element not properly sanitizing user-inserted directory...

CVE-2020-5195

Reflected XSS through an IMG element in Cerberus FTP Server prior to versions 11.0.1 and 10.0.17 allows a remote attacker to execute arbitrary JavaScript or HTML via a crafted public folder URL. This occurs because of the folderup.png IMG element not properly sanitizing user-inserted directory...

Cross-Site Scripting (XSS)

node-red is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a user's browser via the name field when renaming a flow in the Workspace dialog...

Cross-Site Scripting (XSS)

github.com/tophubs/toplist is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a user's browser via the title...

Cross-Site Scripting

Overview All versions of atlasboard-atlassian-package prior to 0.4.2 are vulnerable to Cross-Site Scripting XSS. The package fails to properly sanitize user input that is rendered as HTML, which may allow attackers to execute arbitrary JavaScript in a victim's browser. This requires attackers bei...

Cross-Site Scripting (XSS)

atlas-webapp is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a user's browser via the search functionality...

Cross-Site Scripting (XSS)

moodle/moodle is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a user's browser via the user's email, causing the payload to be rendered and executed on pages that displays the malicious email address...

Cross-Site Scripting (XSS)

hellojs is vulnerable to cross site scripting XSS. The vulnerability exists as the values of state.pageuri is not sanitized, allowing arbitrary javascript to be executed when rendered...

CVE-2020-5497

The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript...

CVE-2020-5497

The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript...

CVE-2020-5497

The OpenID Connect reference implementation for MITREid Connect through 1.3.3 allows XSS due to userInfoJson being included in the page unsanitized. This is related to header.tag. The issue can be exploited to execute arbitrary JavaScript...

Cross-Site Scripting (XSS)

wordpress is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a user's browser via malicious links due to insufficient validation and sanitization in the function wptargetedlinkrel in wp-includes/formatting.php...

Shazam injection vulnerability

Shazam is a music playing application. The program has features such as music recognition and playback. An injection vulnerability exists in Shazam versions prior to 9.25.0 Android and 12.11.0 iOS. An attacker can exploit the vulnerability to execute arbitrary JavaScript code with the help of a...

Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale which allows users to embed arbitrary JavaScript code in the Web UI (CVE-2019-4665)

Summary A security vulnerability has been identified in all levels of IBM Spectrum Scale that could allow users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. A fix for this...

Pornhub: Self-XSS to Good-XSS - pornhub.com

The researcher was able to bypass the site-wide clickjacking protection X-Frame-Options header in order to fully automate the exploitation of a self-xss vulnerability, allowing attackers to execute arbitrary javascript payloads on the pornhub domain through iframes hosted on a third-party website...

CVE-2019-18267

An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G Fast Switch 61850 Versions 07A03 and prior. An attacker can inject arbitrary Javascript in a specially crafted HTTP request that may be reflected back in the HTTP response. The device is also vulnerable to a stored cross-site...

Input validation

The CSS Hero plugin through 4.0.3 for WordPress is prone to reflected XSS via the URI in a cssheroaction=editpage request because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary JavaScript in the browser of an unsuspecting user in th...

CVE-2019-19133

The CSS Hero plugin through 4.0.3 for WordPress is prone to reflected XSS via the URI in a cssheroaction=editpage request because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary JavaScript in the browser of an unsuspecting user in th...

Privilege Escalation

cordova-plugin-inappbrowser is vulnerable to privilege escalation. The vulnerability exists on android where arbitrary javascript can be run in the main application's website through the value of gap-iab://...

Apache Airflow vulnerable to XSS and local file disclosure

A malicious admin user could edit the state of objects in the Airflow metadata database to execute arbitrary javascript on certain page views. This also presented a Local File Disclosure vulnerability to any file readable by the webserver process...