Cross-site Scripting (XSS) - Stored in convos-chat/convos

Description I found a way to bypass the Stored XSS via uploading File with format .svg when chatting in private conversation. Since you have filtered the content of the svg file as below: state $RULES = svg = qr Steps to Reproduce 1.After login, go to any private conversation. 2.In the chat bar,...

Cross-site Scripting in CKAN

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the maliciou...

CVE-2021-23260

Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site...

Design/Logic Flaw

Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site...

CVE-2021-23260 Stored XSS Vulnerability in File Name of the File Upload function

Authenticated users with Site roles may inject XSS scripts via file names that will execute in the browser for this and other users of the same site...

CVE-2021-23260

CVE-2021-23260 affects Crafter CMS. Authenticated users with Site roles can inject XSS through file-name handling in the file upload function, enabling script execution in the browsers of this and other site users. Public-facing technical details are limited in the provided documents; CVSS vector...

CVE-2021-25967

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the maliciou...

Cross site scripting

In CKAN, versions 2.9.0 to 2.9.3 are affected by a stored XSS vulnerability via SVG file upload of users’ profile picture. This allows low privileged application users to store malicious scripts in their profile picture. These scripts are executed in a victim’s browser when they open the maliciou...

CVE-2021-26607

An Improper input validation in execDefaultBrowser method of NEXACRO17 allows a remote attacker to execute arbitrary command on affected systems...

CVE-2021-25969

In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment...

Design/Logic Flaw

In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment...

CVE-2021-25969 Camaleon CMS - Stored Cross-Site Scripting (XSS) in Comments

In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment...

CVE-2021-25968

In “OpenCMS”, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victim’s browser when they open the page containing the vulnerable field...

Apache Superset up和Apache Superset 跨站脚本漏洞

A cross-site scripting vulnerability exists in Apache Superset, a data visualization and data exploration platform from the Apache Foundation, U.S. The vulnerability stems from insufficient cleanup of user-supplied data on browser pages. An attacker could exploit the vulnerability to trick victim...

Cross-site Scripting (XSS) - Stored in yeswiki/yeswiki

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

Cross-site Scripting (XSS) - Reflected in pheditor/pheditor

Description Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into websites. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execut...

CVE-2021-38707

Persistent cross-site scripting XSS vulnerabilities in ClinicCases 7.3.3 allow low-privileged attackers to introduce arbitrary JavaScript to account parameters. The XSS payloads will execute in the browser of any user who views the relevant content. This can result in account takeover via session...

Cross site scripting

Magento Commerce versions 2.4.2 and earlier, 2.4.2-p1 and earlier and 2.3.7 and earlier are affected by a stored cross-site scripting vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s brows...

GHSA-CPV8-6XGR-RMF6 Dolibarr Cross-site Scripting vulnerability

In Dolibarr ERP CRM, WYSIWYG Editor module, v2.8.1 to v13.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Private Note field at /adherents/note.php?id=1 endpoint. These scripts are executed in a victim’s browser when th...

Cross-site Scripting (XSS) - Reflected in leantime/leantime

✍️ Description Cross-site scripting XSS vulnerabilities Line 9 of delCanvasItem.tpl.php sends unvalidated data to a web browser, which can result in the browser executing malicious code. 🕵️‍♂️ Proof of Concept /leancanvas/delCanvasItem/" 💥 Impact The attacker can: Perform any action within the...