PT-2025-22563 · Schule · Schule

Name of the Vulnerable Software and Affected Versions: Schule versions prior to 1.0.1 Description: The issue concerns the Schule open-source school management system software, which relies on client-side JavaScript to redirect users to different panels based on their role. This implementation pos...

CVE-2024-52053 Stored Cross-Site Scripting in Wowza Streaming Engine

Stored Cross-Site Scripting in the Manager component of Wowza Streaming Engine below 4.9.1 allows an unauthenticated attacker to inject client-side JavaScript into the web dashboard to automatically hijack admin accounts...

CVE-2024-39332

Webswing 23.2.2 allows remote attackers to modify client-side JavaScript code to achieve path traversal, likely leading to remote code execution via modification of shell scripts on the server...

CVE-2024-39332

Webswing 23.2.2 allows remote attackers to modify client-side JavaScript code to achieve path traversal, likely leading to remote code execution via modification of shell scripts on the server...

Webswing 安全漏洞

Webswing is a specialized web server from the Webswing community for running Java Swing and JavaFX based applications in a web browser. A security vulnerability exists in Webswing version 23.2.2 that originates from a remote attacker who can modify client-side JavaScript code to enable path...

JAW - A Graph-based Security Analysis Framework For Client-side JavaScript

An open-source, prototype implementation of property graphs for JavaScript based on the esprima parser, and the EsTree SpiderMonkey Spec. JAW can be used for analyzing the client-side of web applications and JavaScript-based programs. This project is licensed under GNU AFFERO GENERAL PUBLIC LICEN...

PT-2024-23259 · Sap Se · Sap Business Connector

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The application allows a high privilege attacker to append a malicious GET query parameter to Service invocations, which are reflected in the server...

phpMyFAQ stored Cross-site Scripting at user email

Summary The email field in phpMyFAQ's user control panel page is vulnerable to stored XSS attacks due to the inadequacy of PHP's FILTERVALIDATEEMAIL function, which only validates the email format, not its content. This vulnerability enables an attacker to execute arbitrary client-side JavaScript...

GHSA-HM8R-95G3-5HJ9 phpMyFAQ Stored Cross-site Scripting at File Attachments

Summary An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS attacks. Details When attachments are uploaded without an extension, the application renders it as HTML by default. Therefore...

CVE-2024-27300

phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The email field in phpMyFAQ's user control panel page is vulnerable to stored XSS attacks due to the inadequacy of PHP's FILTERVALIDATEEMAIL function, which only validates the email format, not...

CVE-2024-27300

Summary: CVE-2024-27300 affects phpMyFAQ; the vulnerability is a stored XSS in the user email field caused by inadequate validation from PHP’s FILTER_VALIDATE_EMAIL. An attacker can inject JavaScript that is stored and later rendered in another user’s session. The issue is documented across multi...

Cross site scripting

MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking CSWSH vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is...

CVE-2024-26135 MeshCentral cross-site websocket hijacking (CSWSH) vulnerability

MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking CSWSH vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is...

CVE-2024-26135 MeshCentral cross-site websocket hijacking (CSWSH) vulnerability

MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking CSWSH vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is...

PYSEC-2023-264

Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG.This Javascript can be executed on the client side of any of the user who looks at the tasks in the...

PT-2023-8379 · Apache · Apache Airflow

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions 2.6.0 through 2.7.3 Description: The issue is related to a stored XSS vulnerability that allows a DAG author to add unbounded and not-sanitized JavaScript in the parameter description field of the DAG. This JavaScript...

Pimcore Admin Login Cross-Site Scripting

Pimcore is an open-source enterprise software written in PHP and offering multiple features like product information, customer data, digital assets or content management. Pimcore versions before 10.5.21 suffer from a Cross-Site Scripting XSS vulnerability in the admin panel login through the...

engine Trust Management Gaps

Internet Reservation Module Booking Engine is a booking platform. A trust management issue vulnerability exists in IRM Next Generation booking engine, which arises from the use of HMAC tokens to authenticate requests, but these tokens are exposed in JavaScript files loaded by the client...

Mozilla: Stored Xss on bugzilla.mozilla.org via comment edit feature from non-admin to admin.

A stored XSS vulnerability was discovered on the comment edit feature of bugzilla.mozilla.org. This allowed an attacker to execute malicious JavaScript code when an admin attempted to edit a comment. The vulnerability was reported and a bug report was filed...

IBM CICS TX Standard and Advanced 跨站脚本漏洞

IBM CICS TX Advanced is a comprehensive, single transaction runtime package from IBM USA. It can provide a cloud-native deployment model for standalone applications. A cross-site scripting vulnerability exists in all versions of IBM CICS TX Advanced, which stems from the program's lack of data...