Cross-Site Scripting

Overview Versions of swagger-ui prior to 2.2.1 are vulnerable to Cross-Site Scripting XSS. The package allows HTML code in the swagger.apiInfo.description value without proper sanitization, which may allow attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 2.2.1 or later...

Code injection

An authenticated attacker in SAP E-Commerce Business-to-Consumer application, versions 7.3, 7.31, 7.32, 7.33, 7.54, can change the price of the product to zero and also checkout, by injecting an HTML code in the application that will be executed whenever the victim logs in to the application even...

Cross-Site Scripting in bootbox

All version of bootbox are vulnerable to Cross-Site Scripting. The package does not sanitize user input in the provided dialog boxes, allowing attackers to inject HTML code and execute arbitrary JavaScript. Recommendation Sanitize user input being passed to bootbox or consider using an alternativ...

CVE-2018-7827

A Cross-Site Scripting XSS vulnerability exists in the 1st Gen. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera which a remote attacker can execute arbitrary HTML and script code in a user’s browser session...

CVE-2019-3562

CVE-2019-3562 details (from connected records): a remote HTML-injection flaw in the Oculus Browser affecting versions 5.2.7–5.7.11, allowing a malicious page to spoof the UI and potentially execute code. The documents do not provide remediation steps or confirmation of exploitation in the wild; n...

ok.ru: [okl.lt] Раскрытие администраторских функций в .js + Возможность использования этих функций.

@iframe reported insufficient authorization at okl.lt which allowed regular users to perform actions intended to be accessible to administrators only. This vulnerability was aggravated by the fact that administrators-only API could be reversed-engineered from the HTML code...

CVE-2019-10741

K-9 Mail v5.600 can include the original quoted HTML code of a specially crafted, benign looking, email within digitally signed reply messages. The quoted part can contain conditional statements that show completely different text if opened in a different email client. This can be abused by an...

Design/Logic Flaw

K-9 Mail v5.600 can include the original quoted HTML code of a specially crafted, benign looking, email within digitally signed reply messages. The quoted part can contain conditional statements that show completely different text if opened in a different email client. This can be abused by an...

CVE-2019-10741

K-9 Mail v5.600 can include the original quoted HTML code of a specially crafted, benign looking, email within digitally signed reply messages. The quoted part can contain conditional statements that show completely different text if opened in a different email client. This can be abused by an...

CVE-2019-10741

K-9 Mail 5.600 exposes a vulnerability where the original quoted HTML in a specially crafted benign-looking email included in (digitally signed) reply messages can contain conditional HTML that renders differently in another client. This can be abused to display content to a third party while pre...

Cisco TelePresence Management Suite Cross-Site Scripting Vulnerability (CNVD-2019-04920)

Cisco TelePresence Management Suite is a Cisco video server management program. A cross-site scripting vulnerability exists in Cisco TelePresence Management Suite, which can be exploited by remote attackers to inject malicious script or HTML code...

Enphase Envoy Cross-Site Scripting Vulnerability

Enphase Envoy is a smart home referrer. enphase Envoy R3.. /home URI is vulnerable to cross-site scripting, which can be exploited by attackers to inject malicious scripts or HTML code...

CVE-2019-1003013

An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java,...

Cross site scripting

POST - Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filterAutoExecuteCmd' parameter value in the view filter filter.php because proper filtration is omitted...

Croogo cross-site scripting vulnerability (CNVD-2019-03589)

Croogo is a content management system CMS based on the CakePHP framework development . The system provides content type can be customized for Blog, Node, Page, content editing using WYSIWYG editor and other features. A cross-site scripting vulnerability exists in Croogo 3.0.5 and earlier versions...

Cross site scripting

A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Blog field to /admin/nodes/nodes/add/blog...

ZTE MF65 BD_HDV6MF65V1.0.0B05 - Cross-Site Scripting

Exploit Title: Reflected Cross-Site Scripting on ZTE MF65 Date: 01/09/2019 Exploit Author: Nathu Nandwani Website: http://nandtech.co/ Vendor Homepage: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483 Version: BDHDV6MF65V1.0.0B05 Tested on: Windows 10 x64 CVE:...

ZTE MF65 BD_HDV6MF65V1.0.0B05 - Cross-Site Scripting Vulnerability

Exploit for hardware platform in category web applications Exploit Title: Reflected Cross-Site Scripting on ZTE MF65 Exploit Author: Nathu Nandwani Website: http://nandtech.co/ Vendor Homepage: http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1009483 Version:...

GHSA-G68X-VVQQ-PVW3 Ckeditor XSS Vulnerability

CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source-mode paste. It was possible to execute XSS inside the CKEditor source area after persuading the victim to: i switch CKEditor to source mode, then ii paste a specially crafted HTML code, prepared by the attacker, into the opene...

Rockwell Automation Allen-Bradley CompactLogix Cross-Site Scripting (CVE-2016-2279)

A cross site scripting vulnerability has been reported in Rockwell Scada System. The vulnerability is due to lack of sanitization of user supplied input data. A remote attacker can exploit this vulnerability to execute arbitrary HTML and script code in a browser session in the context of the...