Cross-Site Scripting (XSS)

pimcore is vulnerable to cross-site scripting. The vulnerability exists in User/Roles because the path column in Users' Workspaces is not properly escaped allowing an attacker to inject and execute payload xss at documents, assets and data objects...

WP < 6.0.2 - Reflected Cross-Site Scripting

Description Plugin's deactivation and deletion error messages are not escaped when output in the plugins screen, which could lead to Reflected Cross-Site Scripting...

Cross site scripting

The package whoogle-search before 0.7.2 are vulnerable to Cross-site Scripting XSS via the query string parameter q. In the case where it does not contain the http string, it is used to build the errormessage that is then rendered in the error.html template, using the flask.rendertemplate functio...

Code injection

An issue was discovered in MediaWiki before 1.35.7, 1.36.x and 1.37.x before 1.37.3, and 1.38.x before 1.38.1. XSS can occur in configurations that allow a JavaScript payload in a username. After account creation, when it sets the page title to "Welcome" followed by the username, the username is...

Insecure Signature Verification

jsrsasign is vulnerable to insecure signature verification. The vulnerability exists because the library does not properly validate the JWS or JWT signature with non-Base64URL encoding special characters or number escaped characters such as !@$% or \11...

Cross-site Scripting vulnerability in Jenkins

Since Jenkins 2.321 and LTS 2.332.1, the HTML output generated for new symbol-based SVG icons includes the title attribute of l:ionicon until Jenkins 2.334 and alt attribute of l:icon since Jenkins 2.335 without further escaping. This vulnerability is known to be exploitable by attackers with...

WordPress Quotes llama plugin跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress Quotes llama plugin 0.7 and earlier versions have a cross-site scripting vulnerability that...

Cross site scripting

The Poll Maker WordPress plugin before 4.0.2 does not sanitise and escape some settings, which could allow high privilege users such as admin to perform Store Cross-Site Scripting attack even when unfilteredhtml is disallowed...

GHSA-6Q5M-22MQ-Q2XV Istio Authorization Bypass Vulnerability

Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters %2F or %5C could potentially bypass an Istio authorization policy when path based authorization rules are used...

Stored XSS vulnerability in Jenkins Liquibase Runner Plugin

Liquibase Runner Plugin 1.4.5 and earlier does not escape changeset contents when showing them on the build page. This results in a stored cross-site scripting XSS vulnerability exploitable by attackers able to provide Liquibase changesets evaluated by the plugin. Liquibase Runner Plugin 1.4.7 no...

Improper masking of some secrets in Jenkins Credentials Binding Plugin

Credentials Binding Plugin allows specifying passwords and other secrets as environment variables, and will hide them from console output in builds. As a side effect of the fix for SECURITY-698, $ characters in secrets are escaped to $$. This will then be expanded to $ again once the secret is...

GHSA-F4GQ-7HVF-FJM3 Stored XSS vulnerability in Jenkins RapidDeploy Plugin

RapidDeploy Plugin 4.2 and earlier does not escape package names in its displayed table of packages obtained from a remote server. This results in a stored cross-site scripting XSS vulnerability exploitable by users able to configure jobs. RapidDeploy Plugin 4.2.1 escapes package names...

GHSA-79RM-F26G-296P Jenkins Maven Release Plugin vulnerable to Cross-site Scripting

A stored cross site scripting vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier allowed attackers to inject arbitrary HTML and JavaScript in the plugin-provided web pages in Jenkins. Variables on affected views are now escaped...

mediawiki -- multiple vulnerabilities

Mediawiki reports: T308471 Username is not escaped in the "welcomeuser" message. T308473 Username not escaped in the contributions-title message. T309377, CVE-2022-29248 Update "guzzlehttp/guzzle" to version 6.5.6. T311384, CVE-2022-27776 Update "guzzlehttp/guzzle" to 6.5.8/7.4.5...

CVE-2021-34590

In Bender/ebee Charge Controllers in multiple versions are prone to Cross-site Scripting. An authenticated attacker could write HTML Code into configuration values. These values are not properly escaped when displayed...

CVE-2021-34590 Bender Charge Controller: Cross-site Scripting

In Bender/ebee Charge Controllers in multiple versions are prone to Cross-site Scripting. An authenticated attacker could write HTML Code into configuration values. These values are not properly escaped when displayed...

GHSA-HPX4-XJP7-M4VR Stored cross-site scripting in Snipe-IT

Snipe-IT prior to version 5.4.3 is vulnerable to stored cross-site scripting because the input to the checkedoutto parameter is not escaped. The vulnerability is capable of stealing a user's cookie...

Stored Cross Site Scripting vulnerability in the checked_out_to parameter

Description The checkedoutto is not escaped, which leads to a XSS problem. Proof of Concept 1. 1.Login to the demo account 2. 2.Report-Depreciation Report 3. 3.Choose a Asset and goto Assets menu and check it out. new a location which is '" and check the asset to this location 4. 4.Return to...

Cross-site Scripting (XSS)

An XSS issue was discovered in MediaWiki before 1.35.6, 1.36.x before 1.36.4, and 1.37.x before 1.37.2. The widthheight, widthheightpage, and nbytes properties of messages are not escaped when used in galleries or Special:RevisionDelete...

WordPress Delete Old Orders plugin cross-site scripting vulnerability

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language . The platform supports PHP and MySQL server set up a personal blog site . WordPress plugin is an open source WordPress application plugin . A cross-site scripting vulnerability exists in WordPress...