Cross-Site Scripting (XSS)

microweber/microweber is vulnerable to cross-site scripting. The vulnerability exists because the attributes have not been sanitized properly which allows an attacker to inject and execute arbitrary javascript...

The vulnerability of the configuration page of the Elcomplus SmartPPT server allows a hacker to inject arbitrary JavaScript code into critical server parameters.

The vulnerability of the configuration page of the Elcomplus SmartPPT server lies in the lack of measures taken to protect the structure of the web page. Exploiting this vulnerability allows a malicious actor to inject arbitrary JavaScript code into critical server parameters through a specially...

Cross-site Scripting (XSS)

element-plus is vulnerable to cross-site scriptingXSS attacks. The library does not properly sanitize the popperContent parameter in renderContent function, allowing an attacker to inject and execute malicious javascript via el-table-column...

CVE-2022-1027

The Page Restriction WordPress WP WordPress plugin before 1.2.7 allows bad actors with administrator privileges to the settings page to inject Javascript code to its settings leading to stored Cross-Site Scripting that will only affect administrator users...

Cross-site Scripting (XSS)

microweber is vulnerable to cross site scripting. The vulnerability exists due to a lack of sanitization of input in the endpoint allowing an attacker to inject maliciously crafted JavaScript into the system...

CVE-2021-32927 Uffizio GPS Tracker Cross-site Scripting

An attacker may be able to inject client-side JavaScript code on multiple instances within all versions of Uffizio GPS Tracker...

CVE-2021-32927

CVE-2021-32927 affects all versions of Uffizio GPS Tracker and is described as a Cross-Site Scripting vulnerability (CWE-79) caused by improper neutralization of input during web page generation. The issue enables an attacker to inject client-side JavaScript into multiple instances, potentially e...

CVE-2022-26673

ASUS RT-AX88U has insufficient filtering for special characters in the HTTP header parameter. A remote attacker with general user privilege can exploit this vulnerability to inject JavaScript and perform Stored Cross-Site Scripting XSS attacks...

IBM Cognos Analytics 跨站脚本漏洞

IBM Cognos Analytics is a suite of business intelligence software from IBM in the United States. The software includes reports, dashboards, and scorecards, and can assist companies in adjusting their decisions by analyzing such things as key factors and key people. A cross-site scripting...

Cross site scripting

ACS Commons version 5.1.x and earlier suffers from a Reflected Cross-site Scripting XSS vulnerability in /apps/acs-commons/content/page-compare.html endpoint via the a and b GET parameters. User input submitted via these parameters is not validated or sanitised. An attacker must provide a link to...

CVE-2022-24868

GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions prior to 10.0.0 one can exploit a lack of sanitization on SVG file uploads and inject javascript into their user avatar. As a result any user...

CVE-2021-41161

Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue...

CVE-2021-41161

Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue...

Code injection

Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue...

CVE-2021-41161

CVE-2021-41161 affects Combodo iTop prior to 3.0.0-beta6. The export CSV page does not properly escape user-supplied parameters, allowing JavaScript injection into rendered CSV files. Upgrading to 3.0.0-beta6 or later is advised (as reflected by multiple connected sources incl. Red Hat). There ar...

CVE-2021-41161 XSS in csvimport in 3.0.0-beta versions

Combodo iTop is a web based IT Service Management tool. In versions prior to 3.0.0-beta6 the export CSV page don't properly escape the user supplied parameters, allowing for javascript injection into rendered csv files. Users are advised to upgrade. There are no known workarounds for this issue...

Combodo iTop 跨站脚本漏洞

Combodo iTop is a French company Combodo ITIL-based development and for the daily operation of the IT environment of open source Web applications. The program provides incident management, configuration management and problem management. A security vulnerability exists in Combodo iTop that allows...

PT-2022-11368 · Comodo +1 · Combodo Itop +1

Name of the Vulnerable Software and Affected Versions: Combodo iTop versions prior to 3.0.0-beta6 Description: The issue affects Combodo iTop, a web-based IT Service Management tool. In the affected versions, the export CSV page does not properly escape user-supplied parameters, allowing for...

CVE-2022-24864 Malicious Javascript injection in OriginProtocol/origin-website

Origin Protocol is a blockchain based project. The Origin Protocol project website allows for malicious users to inject malicious Javascript via a POST request to /presale/join. User-controlled data is passed with no sanitization to SendGrid and injected into an email that is delivered to the...

Origin Protocol 跨站脚本漏洞

Origin Protocol is an ethereum-based platform from US-based Origin that aims to bring irreplaceable tokens NFT and decentralized finance DeFi to the masses. A security vulnerability exists in Origin Protocol that allows an attacker to inject malicious Javascript code into /presale/join via a POST...