1017 matches found
GigToDo 1.3 - Cross-Site Scripting
GigToDo 1.3 - Cross-Site Scripting Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection Google Dork: - Date: 2019/07/28 Author: m0ze Vendor Homepage: https://www.gigtodoscript.com Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/238553...
Yahei-PHP Prober 0.4.7 HTML Injection
Yahei-PHP Prober v0.4.7 speed Remote HTML Injection Vulnerability Vendor: Yahei.Net Product web page: http://www.yahei.net Affected version: 0.4.7 Summary: Detection of system web server operating environment. Desc: Input passed to the GET parameter 'speed' is not properly sanitised before being...
Remote Code Execution
Overview Versions of markdown-pdf prior to 9.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize HTML code in markdown files. If markdown files with malicious HTML are converted to PDF, the resulting PDF file will execute any JavaScript code in the original markdown file...
Cross-Site Scripting
Overview Versions of swagger-ui prior to 2.2.1 are vulnerable to Cross-Site Scripting XSS. The package allows HTML code in the swagger.apiInfo.description value without proper sanitization, which may allow attackers to execute arbitrary JavaScript. Recommendation Upgrade to version 2.2.1 or later...
Code injection
An authenticated attacker in SAP E-Commerce Business-to-Consumer application, versions 7.3, 7.31, 7.32, 7.33, 7.54, can change the price of the product to zero and also checkout, by injecting an HTML code in the application that will be executed whenever the victim logs in to the application even...
Cross-Site Scripting in bootbox
All version of bootbox are vulnerable to Cross-Site Scripting. The package does not sanitize user input in the provided dialog boxes, allowing attackers to inject HTML code and execute arbitrary JavaScript. Recommendation Sanitize user input being passed to bootbox or consider using an alternativ...
CVE-2018-7827
A Cross-Site Scripting XSS vulnerability exists in the 1st Gen. Pelco Sarix Enhanced Camera and Spectra Enhanced PTZ Camera which a remote attacker can execute arbitrary HTML and script code in a user’s browser session...
The vulnerability of the “Security Management Center” component of the Dr.Web Enterprise Security Suite allows a hacker to execute HTML code.
The vulnerability of the “Security Management Center” component of the Dr.Web Enterprise Security Suite exists due to the lack of measures taken to protect the website structure. Exploiting this vulnerability allows a malicious actor to inject arbitrary HTML code into the user’s browser by placin...
CVE-2019-3562
CVE-2019-3562 details (from connected records): a remote HTML-injection flaw in the Oculus Browser affecting versions 5.2.7–5.7.11, allowing a malicious page to spoof the UI and potentially execute code. The documents do not provide remediation steps or confirmation of exploitation in the wild; n...
ok.ru: [okl.lt] Раскрытие администраторских функций в .js + Возможность использования этих функций.
@iframe reported insufficient authorization at okl.lt which allowed regular users to perform actions intended to be accessible to administrators only. This vulnerability was aggravated by the fact that administrators-only API could be reversed-engineered from the HTML code...
Design/Logic Flaw
K-9 Mail v5.600 can include the original quoted HTML code of a specially crafted, benign looking, email within digitally signed reply messages. The quoted part can contain conditional statements that show completely different text if opened in a different email client. This can be abused by an...
CVE-2019-10741
K-9 Mail v5.600 can include the original quoted HTML code of a specially crafted, benign looking, email within digitally signed reply messages. The quoted part can contain conditional statements that show completely different text if opened in a different email client. This can be abused by an...
CVE-2019-10741
K-9 Mail 5.600 exposes a vulnerability where the original quoted HTML in a specially crafted benign-looking email included in (digitally signed) reply messages can contain conditional HTML that renders differently in another client. This can be abused to display content to a third party while pre...
CVE-2019-10741
K-9 Mail v5.600 can include the original quoted HTML code of a specially crafted, benign looking, email within digitally signed reply messages. The quoted part can contain conditional statements that show completely different text if opened in a different email client. This can be abused by an...
Cisco TelePresence Management Suite Cross-Site Scripting Vulnerability (CNVD-2019-04920)
Cisco TelePresence Management Suite is a Cisco video server management program. A cross-site scripting vulnerability exists in Cisco TelePresence Management Suite, which can be exploited by remote attackers to inject malicious script or HTML code...
Enphase Envoy Cross-Site Scripting Vulnerability
Enphase Envoy is a smart home referrer. enphase Envoy R3.. /home URI is vulnerable to cross-site scripting, which can be exploited by attackers to inject malicious scripts or HTML code...
CVE-2019-1003013
An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java,...
Cross site scripting
POST - Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filterAutoExecuteCmd' parameter value in the view filter filter.php because proper filtration is omitted...
Croogo cross-site scripting vulnerability (CNVD-2019-03589)
Croogo is a content management system CMS based on the CakePHP framework development . The system provides content type can be customized for Blog, Node, Page, content editing using WYSIWYG editor and other features. A cross-site scripting vulnerability exists in Croogo 3.0.5 and earlier versions...
Cross site scripting
A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Blog field to /admin/nodes/nodes/add/blog...