59103 matches found
CVE-2025-12031
HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper handling of reserved data attributes in the Sanitizer::validateAttributes function. An attacker can execute arbitrary JavaScript in the context of the user's browser by injecting malicious scripts...
CVE-2025-11952
Stored Cross-site Scripting XSS in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting a malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive user...
CVE-2025-11952
CVE-2025-11952 describes a stored XSS in Oct8ne Chatbot v2.3. The flaw arises from input validation failure when creating a mail transcript via /Records/SendSummaryMail, allowing injected JavaScript to run in a victim's browser. Impact stated: potential theft of sensitive data (e.g., session cook...
MAL-2025-48552 Malicious code in tailwindcss-awesomefont (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 85ee9e62f66e09344e931a1854ac52622771856fda95ece5f148374cc50b406b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2025-60507
Cross site scripting vulnerability in Moodle GeniAI plugin localgeniai 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users including Students or...
CVE-2025-60506
Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting XSS via the Public Comments feature. An attacker with a low-privileged account e.g., Student can inject arbitrary JavaScript payloads into a comment. When any other user Student, Teacher, or Admin views the annotated PD...
TencentOS Server 3: firefox (TSSA-2025:0792)
The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0792 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...
Liferay Portal reflected cross-site scripting (XSS) vulnerability in the google_gaget
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13,...
CVE-2025-62528
Taguette is an open source qualitative research tool. An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or description fields which would run on project load. This issue has been patched in version 1.5.0...
CVE-2025-61255
Bank Locker Management System by PHPGurukul is affected by a Cross-Site Scripting XSS vulnerability via the /search parameter, where unsanitized input allows arbitrary HTML and JavaScript injection, potentially resulting in information disclosure and user redirection...
CVE-2025-56800
Reolink desktop application 8.18.12 contains a vulnerability in its local authentication mechanism. The application implements lock screen password logic entirely on the client side using JavaScript within an Electron resource file. Because the password is stored and returned via a modifiable...
CVE-2025-60507
Cross site scripting vulnerability in Moodle GeniAI plugin localgeniai 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users including Students or...
CVE-2025-12031
HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...
CVE-2025-62249
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13,...
CVE-2025-62249
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13,...
EUVD-2025-35196
HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...
CVE-2025-12031 HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute
HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...
CVE-2025-12031
The CVE-2025-12031 entry covers Azure Access Technology BLU-IC2 and BLU-IC4 networked access controllers. The connected CNVD/RH/NVD records confirm a weakness caused by missing Secure and HttpOnly cookie attributes, enabling reading of sensitive cookies from a JavaScript context. Affected version...
EUVD-2025-35142
Malicious code in bcrypt-js-edge npm...