190 matches found
CVE-2022-2140 Elcomplus SmartICS Cross-site Scripting
Elcomplus SmartICS v2.3.4.0 does not neutralize user-controllable input, which allows an authenticated user to inject arbitrary code into specific parameters...
CVE-2022-27777
CVE-2022-27777 : Rails contains an XSS vulnerability in Action View tag helpers that could allow an attacker to inject content when they can control input in specific attributes. The issue is confirmed across multiple sources (Rails ecosystem advisories and debian/security notes) and is tied to t...
GHSA-WGW2-GW4V-9W4J Improper Neutralization of Input During Web Page Generation in Apache Solr
Cross-site scripting XSS vulnerability in the Admin UI Plugin / Stats page in Apache Solr 4.x before 4.10.3 allows remote attackers to inject arbitrary web script or HTML via the fieldvaluecache object...
Input validation
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV340 and RV345 Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. These vulnerabilities are due to...
CVE-2022-23799
CVE-2022-23799 affects Joomla! 4.0.0–4.1.0. The issue arises in JInput where, under certain conditions, input bags are polluted with $_REQUEST data, potentially impacting confidentiality, integrity, and availability. The connected sources confirm the affected range and the root cause (JInput poll...
PT-2022-16980 · Ipcomm · Ipcomm Ipdio +1
Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The absence of filters when loading some sections in the web application of the vulnerable device allows attackers to inject malicious code that will be...
DEBIAN-CVE-2022-24300
Minetest before 5.4.0 allows attackers to add or modify arbitrary meta fields of the same item stack as saved user input, aka ItemStack meta injection...
CVE-2021-36348
iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC...
CVE-2021-36348
iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC...
Design/Logic Flaw
iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC...
CVE-2021-36348
CVE-2021-36348 affects Dell EMC iDRAC9 before version 5.00.20.00, where an input-injection vulnerability allows a remote authenticated low-privilege attacker to cause information disclosure or DoS by sending specially crafted input data. Affected component is iDRAC9 input handling; root cause is ...
CVE-2021-36348
iDRAC9 versions prior to 5.00.20.00 contain an input injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to iDRAC...
CVE-2021-44042
An issue was discovered in UiPath Assistant 21.4.4. User-controlled data supplied to the --process-start argument of the URI handler for uipath-assistant:// is not correctly encoded, resulting in attacker-controlled content being injected into the error message displayed when the injected content...
jetty: buffer not correctly recycled in Gzip Request inflation
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that ...
CVE-2021-41316
The Device42 Main Appliance before 17.05.01 does not sanitize user input in its Nmap Discovery utility. An attacker with permissions to add or edit jobs run by this utility can inject an extra argument to overwrite arbitrary files as the root user on the Remote Collector...
CVE-2021-41316
The Device42 Main Appliance before 17.05.01 does not sanitize user input in its Nmap Discovery utility. An attacker with permissions to add or edit jobs run by this utility can inject an extra argument to overwrite arbitrary files as the root user on the Remote Collector...
CVE-2021-34746
A vulnerability in the TACACS+ authentication, authorization and accounting AAA feature of Cisco Enterprise NFV Infrastructure Software NFVIS could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This vulnerability is due to...
CVE-2021-20681
Improper neutralization of JavaScript input in the page editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS. The transfer state is serialised with the JSON.stringify function and then written into the HTML page. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a...
jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
A Cross-site scripting XSS vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the ‘HTML’ function to inject Javascript into the page where that input is rendered, and have it delivered by the browser...