PT-2025-4959 · Dforms · Dforms

Name of the Vulnerable Software and Affected Versions: dForms versions n/a through 1.0 Description: The issue is related to improper neutralization of input during web page generation, also known as 'Cross-site Scripting', which allows Reflected XSS. This enables potential attackers to inject...

PT-2025-5149 · Unknown · Rollover Tab

Name of the Vulnerable Software and Affected Versions: Rollover Tab versions 1.3.2 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows stored Cross-site Scripting XSS. This means an attacker can inject malicious scripts into t...

PT-2024-36128 · Unknown · Jules Colle Advanced Options Editor

Name of the Vulnerable Software and Affected Versions: Jules Colle Advanced Options Editor versions n/a through 1.0 Description: The issue is related to improper neutralization of input during web page generation, also known as Cross-site Scripting XSS, which allows Reflected XSS. This problem ca...

DEBIAN-CVE-2024-54001

Kanboard is project management software that focuses on the Kanban methodology. HTML can be injected and stored into the application settings section. The fields applicationlanguage, applicationdateformat,applicationtimezone and applicationtimeformat allow arbirary user input which is reflected...

PT-2024-35000 · Elementor · Ultimate Flipbox Addon For Elementor

Name of the Vulnerable Software and Affected Versions: Ultimate Flipbox Addon for Elementor versions 1.0.3 and earlier Description: The issue affects the Ultimate Flipbox Addon for Elementor, allowing Stored XSS due to improper neutralization of input during web page generation. This is a critica...

SUSE CVE-2024-47067

AList is a file list program that supports multiple storages. AList contains a reflected cross-site scripting vulnerability in helper.go. The endpoint /i/:linkname takes in a user-provided value and reflects it back in the response. The endpoint returns an application/xml response, opening it up ...

Cross-site Scripting

Overview Affected versions of this package are vulnerable to Cross-site Scripting through the dynamic setting of form legends in administrative interfaces. An attacker can execute arbitrary scripts in the context of the administrator's session by injecting malicious content into form fields that...

CVE-2024-32567

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Designinvento DirectoryPress allows Reflected XSS.This issue affects DirectoryPress: from n/a through 3.6.7...

PT-2024-23373 · Ghozylab · Web Icons

Name of the Vulnerable Software and Affected Versions: GhozyLab, Inc. Web Icons versions n/a through 1.0.0.10 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker...

PT-2023-31805 · Unknown · Brizy – Page Builder

Name of the Vulnerable Software and Affected Versions: Brizy – Page Builder versions 2.4.29 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can...

PYSEC-2023-260

A reflected Cross-Site Scripting XSS vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the us...

Cross-site Scripting (XSS)

Overview org.craftercms:crafter-engine is a Crafter Content Delivery Engine. Affected versions of this package are vulnerable to Cross-site Scripting XSS via API endpoints that reflect some input parameter and do produce XML responses. An attacker can inject malicious scripts by sending crafted...

XSS and CSP bypass in app.diagrams.net

Description The application reflects an input from the url without sanitizing it. With a csp bypass from apis.google.com its possible to execute javascript code. Proof of Concept...

CVE-2022-1773

The WP Athletics WordPress plugin through 1.1.7 does not sanitise and escape a parameter before outputting back in an admin page, leading to a Reflected Cross-Site Scripting...

DEBIAN-CVE-2022-28614

The aprwrite function in Apache HTTP Server 2.4.53 and earlier may read unintended memory if an attacker can cause the server to reflect very large input using aprwrite or aprputs, such as with modluas r:puts function. Modules compiled and distributed separately from Apache HTTP Server that use t...

CVE-2021-40260

Multiple Cross Site Scripting XSS vulnerabilities exist in SourceCodester Tailor Management 1.0 via the 1 eid parameter in a partedit.php and b customeredit.php, the 2 id parameter in a editmeasurement.php and b addpayment.php, and the 3 error parameter in index.php...

CVE-2021-41555

In ARCHIBUS Web Central 21.3.3.815 a version from 2014, XSS occurs in /archibus/dwr/call/plaincall/workflow.runWorkflowRule.dwr because the data received as input from clients is re-included within the HTTP response returned by the application without adequate validation. In this way, if HTML cod...

BugPoC: Solution to the XSS Challenge

Summary: This challenge is very tricky and advanced. I have reached a part where I can execute my JS code, but that payload is blocked as of now by "allow-modals" missing value in the "sandbox" attribute. Following is a better explanation of where I am right now. Steps To Reproduce: 1. Keep the...

CVE-2020-5729

In OpenMRS 2.9 and prior, the UI Framework Error Page reflects arbitrary, user-supplied input back to the browser, which can result in XSS. Any page that is able to trigger a UI Framework Error is susceptible to this issue...

Command injection

An exploitable command injection vulnerability exists in the iwwebs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iwserverip parameter can cause user input to be reflected in a subsequent iwsystem call, resulting in remote control over the device. An attacker can...