CometVisu Backend for openHAB affected by SSRF/XSS

The proxy endpoint of openHAB's CometVisu add-on can be accessed without authentication. This proxy-feature can be exploited as Server-Side Request Forgery SSRF to induce GET HTTP requests to internal-only servers, in case openHAB is exposed in a non-private network. Furthermore, this proxy-featu...

CVE-2024-36461 Direct access to memory pointers within the JS engine for modification

Within Zabbix, users have the ability to directly modify memory pointers in the JavaScript engine...

CVE-2024-36461

CVE-2024-36461 affects Zabbix where a user can directly modify memory pointers in the JavaScript engine, enabling remote code execution with limited privileges. Public advisories in multiple distros corroborate the vulnerability and list patches: openSUSE/SUSE notes CVE-36461 fixed in Zabbix 6.0....

Yoga Class Registration System 1.0 Cross Site Request Forgery

============================================================================================================================================= | Title : Yoga Class Registration System v1.0 CSRF Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 128.0....

CVE-2024-42493

Dorsett Controls InfoScan is vulnerable due to a leak of possible sensitive information through the response headers and the rendered JavaScript prior to user login...

CVE-2024-42493

CVE-2024-42493 affects Dorsett Controls InfoScan. The vulnerability is an exposure/leak of sensitive information via response headers and pre-login JavaScript in InfoScan versions prior to 1.38 (notably v1.32/v1.33/v1.35). Red Hat and ICS advisories corroborate exploitation risk and classify the ...

GHSA-5JP3-WP5V-5363 Open WebUI Stored Cross-Site Scripting Vulnerability

Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page...

CVE-2024-6892

Attackers can craft a malicious link that once clicked will execute arbitrary JavaScript in the context of the Journyx web application...

Open WebUI 0.1.105 Persistent Cross Site Scripting

KL-001-2024-005: Open WebUI Stored Cross-Site Scripting Title: Open WebUI Stored Cross-Site Scripting Advisory ID: KL-001-2024-005 Publication Date: 2024.08.06 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-005.txt 1. Vulnerability Details Affected Vendor: Open WebUI...

CVE-2024-6892 Journyx Reflected Cross Site Scripting

Attackers can craft a malicious link that once clicked will execute arbitrary JavaScript in the context of the Journyx web application...

Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords

Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances. "When a victim views a malicious...

Reflected Cross-Site Scripting (Reflected XSS)

Scrypted is vulnerable to Reflected Cross-Site Scripting Reflected XSS. The vulnerability is due to lack of input sanitization in the 'owner' and 'pkg' parameters in the plugin-http.ts file, allowing an attacker to run arbitrary JavaScript code...

Open WebUI Stored Cross-Site Scripting

Vulnerability Details Affected Vendor: Open WebUI Affected Product: Open WebUI Affected Version: 0.1.105 Platform: Debian 12 CWE Classification: CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' CVE ID: CVE-2024-6706 2. Vulnerability Description Attackers...

CVE-2024-41677

Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the render-ssr.ts file. It sometimes...

CVE-2024-41677

Summary: CVE-2024-41677 describes a mutation XSS (mXSS) vulnerability in Qwik due to improper HTML escaping during server-side rendering. The issue arises from how strings are escaped in render-ssr.ts, causing the final browser DOM to differ from the server render. Affected versions: up to, but n...

CVE-2024-41677 Cross-site Scripting (XSS) vulnerability due to improper HTML escaping in qwik

Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the render-ssr.ts file. It sometimes...

CVE-2024-43111

Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for iOS 129...

CVE-2024-43111

Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for iOS 129...

CVE-2024-43111

Vulnerability summary (CVE-2024-43111): Firefox for iOS prior to version 129 is affected. Long-pressing a download link could allow Javascript commands to be executed in the browser, enabling potential malicious activity. The issue is described across multiple sources (NVD entry and related advis...

CVE-2024-43111

Long pressing on a download link could potentially allow Javascript commands to be executed within the browser This vulnerability affects Firefox for iOS 129...