CMSimple Code Execution Vulnerability

CMSimple is a free content management system. CMSimple suffers from a code execution vulnerability that stems from the template editing feature not securely controlling and filtering the content of user-inputted code, resulting in logged-in users being able to inject malicious PHP code into...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

CVE-2024-24914

Authenticated Gaia users can inject code or commands by global variables through special HTTP requests. A Security fix that mitigates this vulnerability is available...

CVE-2024-48138

PluXml v5.8.16 and earlier is affected by a remote code execution (RCE) in the /PluXml/core/admin/parametres_edittpl.php component. The issue allows an attacker to inject a crafted payload into a template to execute arbitrary code. Connected documents corroborate the vulnerability in this specifi...

CVE-2024-10033

A vulnerability was found in aap-gateway. A Cross-site Scripting XSS vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the "?next=" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions a...

CVE-2024-10033

CVE-2024-10033 is an XSS vulnerability in the aap-gateway component of Red Hat Ansible Automation Platform (automation-gateway). The associated Red Hat advisory RHSA-2024:8534 lists this issue among security fixes and notes an upgrade path for the platform (automation-gateway updated to 2.5.3). T...

CVE-2024-43005

CVE-2024-43005 describes a reflected XSS in ZZCMS v2023, specifically in the dl_liuyan_save.php component, enabling attackers to run arbitrary scripts in a user’s browser by injecting crafted payloads. Concretely, multiple sources confirm the vulnerability in the ZZCMS 2023 payload handling path....

Prototype Pollution

che3vinci c3/utils-1 is vulnerable to Prototype Pollution. The vulnerability is due to missing checks in assign function, allowing attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...

SUSE-SU-2024:2265-1 Security update for wireshark

This update for wireshark fixes the following issues: Update to version 3.6.22: - CVE-2024-4854: MONGO and ZigBee TLV dissector infinite loops bsc1224274 - CVE-2024-4853: The editcap command line utility could crash when chopping bytes from the beginning of a packet bsc1224259 - CVE-2024-4855: Th...

CVE-2024-28832 XSS in Crash Report Page

Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7, 2.2.0p28, 2.1.0p45, and 2.0.0 EOL allows users with permission to change Global Settings to execute arbitrary scripts by injecting HTML elements into the Crash Report URL in the Global Settings...

Mozilla: Privileged JavaScript Execution via Event Handlers

The Mozilla Foundation Security Advisory describes this flaw as: An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent process...

School Fees Management System Security Breach

School Fees Management System is a tuition management system. A security vulnerability exists in School Fees Management System version 1.0. An attacker can exploit this vulnerability to execute arbitrary web script or HTML via a specially crafted payload that injects the name parameter...

Online Mobile Store Management System Cross-Site Scripting Vulnerability

Online Mobile Store Management System is an online mobile store management system. A cross-site scripting vulnerability exists in Online Mobile Store Management System version 1.0, which stems from the lack of effective filtering and escaping of user-supplied data in the /?p=products file, and ca...

CVE-2024-0210

A flaw was found in the TLV dissector of Wireshark. It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file...

CVE-2023-40984

A reflected cross-site scripting XSS vulnerability in the File Manager function of Webmin v2.100 allows attackers to execute malicious scripts via injecting a crafted payload into the Replace in Results file...

CVE-2023-41161

Multiple stored cross-site scripting XSS vulnerabilities in Usermin 2.000 allow remote attackers to inject arbitrary web script or HTML via the key comment to different pages such as public key details, Export key, sign key, send to key server page, and fetch from key server page tab...

CVE-2023-34637

A stored cross-site scripting XSS vulnerability in IsarNet AG IsarFlow v5.23 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the dashboard title parameter in the IsarFlow Portal...

Simple Online Mens Salon Management System Cross-Site Scripting Vulnerability

Simple Online Mens Salon Management System is open source a men's salon management system . Simple Online Mens Salon Management System v1.0 version of a cross-site scripting vulnerability , the vulnerability stems from the file /admin/?page=user/list parameter First Name/Last Name/Username on the...

XSS on external links bypass filters

Description I recently found a bypass for external links that allows an attacker to inject javascript into external links Proof of Concept As an admin user Go to /front/link.form.php?id=1 Using a special character before the javascript:alert1 this bypasses the filters and the protocol still works...

Cross site scripting

The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during a forum response in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible...