PT-2024-5456 · Ibm · Ibm Clearquest

Name of the Vulnerable Software and Affected Versions: IBM ClearQuest versions 9.1 through 9.1.0.6 Description: The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session...

CVE-2024-21686

CVE-2024-21686 is a stored XSS vulnerability affecting Atlassian Confluence Data Center and Server, introduced in version 7.13. The CVSS base score is 7.3 (high) with author-verified network attack vector, low attack complexity, low privileges required, and user interaction required; impact is hi...

CVE-2024-1937 Brizy – Page Builder <= 2.4.44 - Missing Authorization to Authenticated (Contributor+) Post Modification

The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updateitem' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to...

Cross Site Scripting (XSS)

@udecode/plate-media is vulnerable to Cross Site Scripting XSS. The vulnerability is due to lack of proper URL sanitization in MediaEmbedElement and custom urlParsers and direct consumption of the url property, which allows an attacker to embed malicious URLs using javascript:, data:, or vbscript...

CVE-2024-4224

TP-Link TL-SG1016DE exposes an authenticated stored XSS in firmware TL-SG1016DE(UN) v7.6_1.0.0 Build 20230616, enabling an attacker with credentials to execute JavaScript in an administrator’s browser. Root cause described as insufficient client-side/web-page protection enabling XSS. Impact is li...

CVE-2024-6741

Openfind's Mail2000 has a vulnerability that allows the HttpOnly flag to be bypassed. Unauthenticated remote attackers can exploit this vulnerability using specific JavaScript code to obtain the session cookie with the HttpOnly flag enabled...

CVE-2024-6740

Openfind Mail2000 is affected by a Stored XSS vulnerability arising from improper validation of email attachments. An unauthenticated remote attacker can inject JavaScript into an attachment, with the attack executed when the attachment is viewed (stored XSS). Affected product: Openfind Mail2000....

CVE-2024-6742

AguardNet Technology's Space Management System does not properly filter user input, allowing remote attackers with regular privileges to inject JavaScript and perform Reflected Cross-site scripting attacks...

CVE-2024-6742 AguardNet Space Management System - Reflected Cross-Site Scripting

AguardNet Technology's Space Management System does not properly filter user input, allowing remote attackers with regular privileges to inject JavaScript and perform Reflected Cross-site scripting attacks...

CVE-2024-39728

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted sessio...

CVE-2024-39728 IBM Datacap Navigator cross-site scripting

IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted sessio...

CVE-2024-31946

An issue was discovered in Stormshield Network Security SNS 3.7.0 through 3.7.41, 3.10.0 through 3.11.29, 4.0 through 4.3.24, and 4.4.0 through 4.7.4. A user who has access to the SNS with write access on the email alerts page has the ability to create alert email containing malicious JavaScript,...

CVE-2024-31946

CVE-2024-31946 affects Stormshield Network Security (SNS). A user with write access to the SNS email alerts page can craft an alert email containing malicious JavaScript that is executed in the template preview. Affected versions include 3.7.0–3.7.41, 3.10.0–3.11.29, 4.0–4.3.24, and 4.4.0–4.7.4. ...

CVE-2024-31946

An issue was discovered in Stormshield Network Security SNS 3.7.0 through 3.7.41, 3.10.0 through 3.11.29, 4.0 through 4.3.24, and 4.4.0 through 4.7.4. A user who has access to the SNS with write access on the email alerts page has the ability to create alert email containing malicious JavaScript,...

CVE-2024-4269 SVG Block < 1.1.20 - Author+ Stored XSS via SVG File Upload

The SVG Block WordPress plugin before 1.1.20 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks...

CVE-2024-40690

IBM InfoSphere Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 29772...

DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign

Cybersecurity researchers have shed light on a short-lived DarkGate malware campaign that leveraged Samba file shares to initiate the infections. Palo Alto Networks Unit 42 said the activity spanned the months of March and April 2024, with the infection chains using servers running public-facing...

Withdrawn Advisory: Bootstrap Cross-Site Scripting (XSS) vulnerability

Withdrawn Advisory This advisory is withdrawn because it was not a security issue in Bootstrap. Bootstrap’s JavaScript is not intended to sanitize unsafe or intentionally dangerous HTML. As such, the reported behavior fell outside the scope of Bootstrap’s security model, and the associated CVE ha...

Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting XSS attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribut...

GHSA-VC8W-JR9V-VJ7F Withdrawn Advisory: Bootstrap Cross-Site Scripting (XSS) vulnerability

Withdrawn Advisory This advisory is withdrawn because it was not a security issue in Bootstrap. Bootstrap’s JavaScript is not intended to sanitize unsafe or intentionally dangerous HTML. As such, the reported behavior fell outside the scope of Bootstrap’s security model, and the associated CVE ha...