CVE-2024-47781 Cross-site Scripting (XSS) in Special:RequestWikiQueue when displaying sitename in CreateWiki

CreateWiki is an extension used at Miraheze for requesting & creating wikis. The name of requested wikis is not escaped on Special:RequestWikiQueue, so a user can insert arbitrary HTML that is displayed in the request wiki queue when requesting a wiki. If a wiki creator comes across the XSS...

CVE-2024-47772

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of...

CVE-2024-47772 Cross-site Scripting (XSS) via chat excerpts when content security policy (CSP) disabled in Discourse

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of...

PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via JavaScript hyperlinks

Summary \PhpOffice\PhpSpreadsheet\Writer\Html does not sanitize "javascript:" URLs from hyperlink href attributes, resulting in a Cross-Site Scripting vulnerability. PoC Example target script: loadDIR . '/book.xlsx'; $writer = new \PhpOffice\PhpSpreadsheet\Writer\Html$spreadsheet;...

CVE-2024-45153 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

Ubuntu: Security Advisory (USN-7056-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2024-8743

The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 6.5.7. This is due to a lack of proper checks on allowed file types. This makes it possible for...

CVE-2024-25694

CVE-2024-25694 describes a stored cross-site scripting vulnerability in Esri Portal for ArcGIS Enterprise. The issue affects Portal versions 11.1 and below (per sources) and involves a crafted link stored in the Layer Showcase configuration that, when clicked, can execute arbitrary JavaScript in ...

CVE-2024-25702 BUG-000160599 - Stored XSS in Portal for ArcGIS Web App Builder

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in the site configuration which when clicked could potentially execute arbitrary JavaScri...

GHSA-593M-55HH-J8GV Sentry SDK Prototype Pollution gadget in JavaScript SDKs

Impact In case a Prototype Pollution vulnerability is present in a user's application or bundled libraries, the Sentry SDK could potentially serve as a gadget to exploit that vulnerability. The exploitability depends on the specific details of the underlying Prototype Pollution issue. !NOTE This...

Cross-site Scripting via uploaded SVG

In Sulu v2.0.0 through v2.6.4 are vulnerable against XSS whereas a low privileged user with an access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ other users including admins browsers...

CVE-2024-47618

Sulu is a PHP content management system. Sulu is vulnerable against XSS whereas a low privileged user with access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ other users including...

CVE-2024-47617 Reflected XSS Vulnerability in Sulu Media Bundle

Sulu is a PHP content management system. This vulnerability allows an attacker to inject arbitrary HTML/JavaScript code through the media download URL in Sulu CMS. It affects the SuluMediaBundle component. The vulnerability is a Reflected Cross-Site Scripting XSS issue, which could potentially...

CVE-2024-47617

Sulu CMS is affected by a Reflected XSS in the media download URL via the SuluMediaBundle. The issue stems from how the slug parameter is handled in the MediaStreamController downloadAction, allowing injection of arbitrary HTML/JavaScript. Affected versions include 2.6.4/2.5.20 (prior to fixes). ...

CVE-2024-47618

Sulu is a PHP content management system vulnerable to cross-site scripting (XSS) via uploaded SVG files. The issue allows a low-privilege user with access to the Media section to upload an SVG containing malicious payload, which executes in other users’ browsers when accessed. The vulnerability i...

CVE-2024-47618 Sulu vulnerable to XSS via uploaded SVG

Sulu is a PHP content management system. Sulu is vulnerable against XSS whereas a low privileged user with access to the “Media” section can upload an SVG file with a malicious payload. Once uploaded and accessed, the malicious javascript will be executed on the victims’ other users including...

firefox: thunderbird: Cross-origin access to PDF contents through multipart responses

A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the issue as follows: An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This...

UBUNTU-CVE-2024-9393

An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the resource://pdf.js origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full...

CVE-2024-28888

A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a checkbox field object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker...

CVE-2024-9440 Slim Select 2.0 createOption "text" XSS

Slim Select 2.0 versions through 2.9.0 are affected by a potential cross-site scripting vulnerability. In select.ts:createOption, the text variable from the user-provided Options object is assigned to an innerHTML without sanitation. Software that depends on this library to dynamically generate...