CandidATS 3.0.0 - Cross-Site Scripting

CandidATS 3.0.0 contains a cross-site scripting vulnerability via the page parameter of the ajax.php resource. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

Extreme Management Center 8.4.1.24 - Cross-Site Scripting

Extreme Management Center 8.4.1.24 contains a cross-site scripting vulnerability via a parameter in a GET request. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

WordPress Tutor LMS <2.0.10 - Cross Site Scripting

WordPress Tutor LMS plugin before 2.0.10 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape the resetkey and userid parameters before outputting then back in attributes. An attacker can inject arbitrary script in the browser of an unsuspecting user in the conte...

OpenCATS 0.9.6 - Cross-Site Scripting

OpenCATS 0.9.6 contains a cross-site scripting vulnerability via the joborderID parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch...

WordPress FlatPM <3.0.13 - Cross-Site Scripting

WordPress FlatPM plugin before 3.0.13 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape certain parameters before outputting them back in pages, which can be exploited against high privilege users such as admin. An attacker can steal cookie-based authenticatio...

HPE System Management - Cross-Site Scripting

HPE System Management contains a cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other...

Cross-site Request Forgery (CSRF)

Overview rwsdk is a Build fast, server-driven webapps on Cloudflare with SSR, RSC, and realtime Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the serverAction process. An attacker can trigger unauthorized state changes or actions by inducing an...

RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions

Summary Server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. Impact An attacker who controls any origin the browser...

GHSA-HFF2-GCPX-8F4P Apollo Router Core: Browser Bug Enables Bypass of XS-Search Prevention via Read-Only Cross-Site Request Forgery

Impact In a Cross-Site Request Forgery attack, untrusted web content causes browsers to send authenticated requests to web servers which use cookies for authentication. While the web content is prevented from reading the request's response due to the Cross-Origin Request Sharing CORS protocol, th...

CVE-2026-21788

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may allow the attacker steal cookie-based authentication credential...

Adobe Commerce 跨站脚本漏洞

Adobe Commerce is the United States of America Odobie Adobe company's a business and brand-oriented global leader in digital commerce solutions. Adobe Commerce suffers from a cross-site scripting vulnerability that is caused by improper validation of user-supplied input. An attacker could exploit...

Adobe Experience Manager cross-site scripting vulnerability (CNVD-2025-30926)

Adobe Experience Manager AEM is a set of content management solutions that can be used to build websites, mobile applications and forms from the American company Odobie Adobe. The program supports mobile content management, marketing and sales campaign management and multi-site management. A...

Cross-site scripting vulnerability in multiple Mozilla products (CNVD-2025-24632)

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the U.S.A. Mozilla Firefox ESR is an extended support version of Firefox the web browser.Mozilla Thunderbird is email client software that supports the IMAP and POP mail protocols as well as the HTML mail format. A...

EUVD-2013-0993

Malware in sbrugna...

appRain CMF 跨站脚本漏洞

appRain CMF is a content management framework from appRain Canada. appRain CMF suffers from a cross-site scripting vulnerability that is caused by improper validation of user input in the /apprain/developer/language/lipsum.xml endpoint. An attacker could use this vulnerability to steal the victim...

Cross-Site Request Forgery

Cross-Site Request Forgery CSRF is a confused deputy attack where the attacker causes the browser to send a request to a target using the ambient authority of the user’s cookies or network position.1 For example, attacker.example can serve the following HTML to a victim and the browser will send ...

Security Bulletin: IBM Jazz Reporting Services is vulnerable to a to cross-site scripting (CVE-2020-4051)

Summary Cross-site scripting has been identified in dojo library shipped with IBM Jazz Reporting Services JRS. JRS has addressed the issues by releasing a fix Vulnerability Details CVEID:CVE-2020-4051 DESCRIPTION: Dijit is vulnerable to cross-site scripting, caused by improper validation of...

Security Bulletin: Vulnerabilities in Golang Go affect Cloud pak System [CVE-2023-39319, CVE-2023-39318]

Summary Vulnerabilities in Golang Go affect Cloud Pak System Software. Vulnerability Details CVEID:CVE-2023-39319 DESCRIPTION: Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the html/template package. A remote attacker could exploit this...

Security Bulletin: Vulnerability in Jinja affects IBM Process Mining CVE-2024-34064

Summary There is a vulnerability in Jinja that could allow an attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerabili...

CVE-2024-30112 HCL Connections is vulnerable to a cross-site scripting (XSS) vulnerability

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials...