CVE-2021-34563

In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript...

Design/Logic Flaw

In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript...

CVE-2021-34563 In WirelessHART-Gateway versions 3.0.8 and 3.0.9 the HttpOnly flag is missing in a cookie which allows client-side javascript to modify it

In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript...

CVE-2019-17207

A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker aka Broken Link Checker plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the...

Cross site scripting

A reflected XSS vulnerability was found in includes/admin/table-printer.php in the broken-link-checker aka Broken Link Checker plugin 1.11.8 for WordPress. This allows unauthorized users to inject client-side JavaScript into an admin-only WordPress page via the...

CVE-2019-17207

The CVE concerns the WordPress Broken Link Checker plugin (version 1.11.8) where the vulnerability resides in includes/admin/table-printer.php. A reflected cross-site scripting (XSS) flaw is triggered via the s_filter parameter in the admin tools page (wp-admin/tools.php?page=view-broken-links), ...

CVE-2018-16590

FURUNO FELCOM 250 and 500 devices use only client-side JavaScript in login.js for authentication...

Microsoft Word Document Upload to Stored XSS: A Case Study

Anytime I see a file upload form during an application test, my attention is piqued. In a best-case scenario, I can upload a reverse shell in a scripting language available on the webserver. If the application is running in PHP or ASP for example, it becomes quite easy. If I cant get a backdoor...

Design/Logic Flaw

osTicket 1.10.1 allows arbitrary client-side JavaScript code execution on victims who click a crafted support/scp/tickets.php?status= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protections, injection of iframes to establish communication...

Cross site scripting

services/systemio/actionprocessor/Contact.rails in ConnectWise Manage 2017.5 allows arbitrary client-side JavaScript code execution involving a ContactCommon field on victims who click on a crafted link, aka XSS...

Design/Logic Flaw

Use-after-free vulnerability in the CSPService::ShouldLoad function in the microtask implementation in Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 allows remote attackers to execute arbitrary code by leveraging client-side JavaScript that triggers remova...

CVE-2015-2731

Use-after-free vulnerability in the CSPService::ShouldLoad function in the microtask implementation in Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 allows remote attackers to execute arbitrary code by leveraging client-side JavaScript that triggers remova...

UBUNTU-CVE-2015-2731

Use-after-free vulnerability in the CSPService::ShouldLoad function in the microtask implementation in Mozilla Firefox before 39.0, Firefox ESR 38.x before 38.1, and Thunderbird before 38.1 allows remote attackers to execute arbitrary code by leveraging client-side JavaScript that triggers remova...

Working Resources BadBlue 1.7.3 cleanSearchString() Cross Site Scripting Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/5179/info BadBlue is a P2P file sharing application distributed by Working Resources. It is designed for use on Microsoft Windows operating systems. BadBlue is operated through a web interface, generated by an included we...

CVE-2014-2866

CommonSpot (PaperThin) before 7.0.2 and 8.x before 8.0.3 is vulnerable because access restrictions rely on client-side JavaScript, which can be bypassed by an attacker who can modify that code to perform operations that should be restricted. The Red Hat security entry documents the same descripti...

http-dombased-xss NSE Script

It looks for places where attacker-controlled information in the DOM may be used to affect JavaScript execution in certain ways. The attack is explained here: See also: http-stored-xss.nse http-phpself-xss.nse http-xssed.nse http-unsafe-output-escaping.nse Script Arguments...

Code injection

IBM Rational Build Forge 7.1.2 relies on client-side JavaScript code to enforce the EditSecurity permission requirement for the Export Key File function, which allows remote authenticated users to read a key file by removing a disable attribute in the Security sub-menu...

Fixed HTTP Session Cookies

The remote web application uses cookies to track authenticated users. If the session cookie is already present before authentication, it remains unchanged after a successful login. A remote attacker can exploit this to hijack a valid user session. Session cookies are expected to be unpredictable ...

Code injection

The web interface on the Axesstel MV 410R relies on client-side JavaScript code to validate input, which allows remote attackers to send crafted data, and possibly have unspecified other impact, via a client that does not process JavaScript...

CVE-2009-2320

The CVE-2009-2320 issue affects the Axesstel MV 410R web interface where input validation relies on client-side JavaScript; remote attackers could send crafted data via a client that does not process JavaScript. The root cause is reliance on client-side validation, enabling potential unspecified ...