CVE-2022-1020

The Product Table for WooCommerce wooproducttable WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wptadminupdatenoticeoption AJAX action available to both unauthenticated and authenticated users, as well as does not validate the callback parameter, allowing...

CVE-2022-0212

The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue...

SpiderCalendar <= 1.5.65 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue. Note: Vendor decided to close the plugin and it won't be...

WSO2 Identity Server 跨站脚本漏洞

WSO2 Identity Server IS is an identity server from WSO2, Inc. A security vulnerability exists in WSO2 Identity Server, which stems from the fact that in WSO2 Identity Server 5.7.0, a dom-based XSS attack can be executed that affects the callback parameter modifying the callback parameter before t...

CVE-2021-39412

Multiple Cross Site Scripting XSS vulnerabilities exists in PHPGurukul Shopping v3.1 via the 1 callback parameter in a serverside/scripts/idjsonp.php, b serverside/scripts/jsonp.php, and c scripts/objectsjsonp.php, the 2 value parameter in examplessupport/editableajax.php, and the 3 PHPSELF...

CVE-2021-39412

Multiple Cross Site Scripting XSS vulnerabilities exists in PHPGurukul Shopping v3.1 via the 1 callback parameter in a serverside/scripts/idjsonp.php, b serverside/scripts/jsonp.php, and c scripts/objectsjsonp.php, the 2 value parameter in examplessupport/editableajax.php, and the 3 PHPSELF...

Cross-site scripting in SocksJS-node

htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulnerable to Reflected XSS via the /htmlfile c aka callback parameter...

GHSA-HH8V-JMH3-9437 Cross-site scripting in SocksJS-node

htmlfile in lib/transport/htmlfile.js in SockJS before 0.3.0 is vulnerable to Reflected XSS via the /htmlfile c aka callback parameter...

MTN Group: Cross-site Scripting (XSS) - Reflected on http://callertunez.mtn.com.gh/wap/noauth/sharedetail.ftl via `callback` parameter

The vulnerability was a reflected cross-site scripting XSS found on the website http://callertunez.mtn.com.gh/wap/noauth/sharedetail.ftl via the "callback" parameter. The vulnerability allowed the execution of arbitrary JavaScript code...

Greenmart < 2.4.3 - Reflected Cross-Site Scripting (XSS)

The greenmartautocompletesearch AJAX action, available to both authenticated and unauthenticated users does not properly sanitise the callback parameter passed to it, resulting in a reflected Cross-Site Scripting issue. Edit WPScanTeam: The vendor 'fixed' the issue for authenticated users by addi...

Exploit for Code Injection in Nette Application

CVE-2020-15227 ============== DISCLAIMER! I take no responsibil...

CQU-LANKERS Cross-Site Scripting Vulnerability

CQU-LANKERS is a system of university community services. A cross-site scripting vulnerability exists in the public/api.php file in CQU-LANKERS 2017-11-02 and earlier versions, which can be exploited by remote attackers to bypass the Web Application Protection System with the help of the 'callbac...

CVE-2018-17049

CQU-LANKERS through 2017-11-02 has XSS via the public/api.php callback parameter in an uploadpic action...

Design/Logic Flaw

An issue was discovered in idreamsoft iCMS 7.0.9. XSS exists via the callback parameter in a public/api.php uploadpic request, bypassing the iWAF protection mechanism...

CVE-2018-13865

An issue was discovered in idreamsoft iCMS 7.0.9. XSS exists via the callback parameter in a public/api.php uploadpic request, bypassing the iWAF protection mechanism...

Cross-site Scripting (XSS)

jolokia-core is vulnerable to cross-site scripting XSS attacks. The library does not properly validate the callback request parameter, allowing a malicious user to inject and execute arbitrary Javascript...

SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2017:0714-1)

This update for MozillaFirefox to ESR 45.8 fixes the following issues: Security issues fixed bsc1028391 : - CVE-2017-5402: Use-after-free working with events in FontFace objects - CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping - CVE-2017-5400: asm.js...

jamtransfer.com XSS vulnerability

Vulnerable URL: http://www.jamtransfer.com/widget/data.php?callback=prompt/OPENBUGBOUNTY/...

tylkodlazabawy.pl XSS vulnerability

Vulnerable URL: http://tylkodlazabawy.pl/login.php?callback=prompt/OPENBUGBOUNTY/...

Pornhub: [RCE] Unserialize to XXE - file disclosure on ams.upload.pornhub.com

Researcher was able to exploit a serialization error in the SimpleXMLElement class to perform object injection using the callbackUrl parameter. Researcher was successful in achieving the following: SSRF Local file inclusion Limited execution of database commands without output I exploited the...