5 matches found
CVE-2025-63693
CVE-2025-63693 affects DzzOffice 2.3.x. The vulnerability resides in the comment editing template (dzz/comment/template/edit_form.htm), which does not adequately escape user-controllable data across HTML and JavaScript contexts. This can allow low-privilege attackers to craft comment content or r...
GHSA-FF6V-W58F-V97W XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right
Impact When a user without script right creates a document with an XWiki.Notifications.Code.NotificationEmailRendererClass object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as whi...
XSS on several select lists
Steps to reproduce: -Create a new issue type -Add "alert'Issue name' as Issue name mind the qoute at the beginning -Add "alert'Issue desc' as Issue Description -Add /images/icons/issuetypes/genericissue.png "alert'Issue icon' as Issue Icon -Make sure that this issue type is available on your...
Openemr-4.1.0 - SQL Injection
Exploit Title: Openemr-4.1.0 SQL injection Vulnerability Date: 2011/10/18 Author: I2sec-dae jin Oh Software Link: http://sourceforge.net/projects/openemr/files/OpenEMR%20Current/4.1.0/openemr-4.1.0.zip/download Vendor : www.open-emr.com Version: Openemr-4.1.0 Tested on: Windows 7...
Seperate label permissions from edit issue permission
In 3.11 the labels plugin changed so that manipulating labels required the "Edit Issue" permission. This drastically impacted our organizations workflow, as we'd just introduced labels in our previous upgrade, and we don't give "edit issues" to all users, but we do want all authenticated users to...