CVE-2023-33971 Formcreator vulnerable to stored XSS from ##FULLFORM##

Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of FULLFORM for rendering. This could result in...

CVE-2023-33971 Formcreator vulnerable to stored XSS from ##FULLFORM##

Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of FULLFORM for rendering. This could result in...

CVE-2023-23956

A user can supply malicious HTML and JavaScript code that will be executed in the client browser...

CVE-2023-33186 Cross-site scripting vulnerability in Zulip Server development branch via topic tooltip

Zulip is an open-source team collaboration tool with unique topic-based threading that combines the best of email and chat to make remote work productive and delightful. The main development branch of Zulip Server from May 2, 2023 and later, including beta versions 7.0-beta1 and 7.0-beta2, is...

CVE-2023-1384

The setMediaSource function on the amzn.thin.pl service does not sanitize the "source" parameter allowing for arbitrary javascript code to be run This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS versions prior to 7.6.3.3...

MGASA-2023-0145 Updated golang packages fix security vulnerability

DOS due to incorrect HTTP and MIME header parsing CVE-2023-24534 DOS due to incorrect Multipart form parsing CVE-2023-24536 Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow...

Updated golang packages fix security vulnerability

DOS due to incorrect HTTP and MIME header parsing CVE-2023-24534 DOS due to incorrect Multipart form parsing CVE-2023-24536 Calling any of the Parse functions on Go source code which contains //line directives with very large line numbers can cause an infinite loop due to integer overflow...

Stored XSS

Description Stored XSS attack is possible. Proof of Concept Step 1: Go to the login URL https://demo.easyappointments.org/index.php/user/login and login as an admin. Step 2: Click on Users tab and then click on Add button to create a new user with the following credentials. Credentials: First Nam...

GO-2023-1600 Arbitrary code execution in github.com/kitabisa/teler-waf

Improper handling of payload with special characters, such as CR/LF and horizontal tab, can lead to execution of arbitrary JavaScript code...

CVE-2022-44012

An issue was discovered in /DS/LMAPI/api/SelectionService/InsertQueryWithActiveRelationsReturnId in Simmeth Lieferantenmanager before 5.6. An attacker can execute JavaScript code in the browser of the victim if a site is loaded. The victim's encrypted password can be stolen and most likely be...

Adobe Experience Manager 跨站脚本漏洞

Adobe Experience Manager AEM is a content management solution from Adobe that can be used to build websites, mobile applications and forms. The solution supports mobile content management, marketing and sales campaign management, and multi-site management, etc. A cross-site scripting vulnerabilit...

CVE-2022-43668

Typora versions prior to 1.4.4 fails to properly neutralize JavaScript code, which may result in executing JavaScript code contained in the file when opening a file with the affected product...

GHSA-RWQR-M72Q-V6CM Untrusted code execution in Apache XML Graphics Batik

A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16...

CVE-2022-38195 BUG-000150540 - Reflected XSS vulnerability in ArcGIS Server

There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser...

CVE-2022-32176

In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the "Compress Upload" functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the...

CVE-2022-42715

Affected software: REDCap (prior to 12.04.18). Vulnerability: Reflected XSS in the Alerts & Notifications upload feature. A crafted CSV file can cause arbitrary JavaScript execution in the user’s browser. Root cause / scope: Unclear from provided docs beyond the XSS result via CSV upload; the iss...

Stored XSS in Notifications

Description It is possible to create a notification with stored XSS which can result in the JavaScript code execution. Notifications can only be created while logged in on user with admin privileges, but once notification is created any user can see it. Proof of Concept Create notification with...

Cross site scripting

A XSS vulnerability exist in Pandora FMS version 756 and below, that allows an attacker to perform javascript code executions via service elements...

CVE-2021-46680

CVE-2021-46680 affects Pandora FMS versions prior to 756 (i.e., 756 and earlier). The vulnerability is a cross-site scripting (XSS) flaw in the module form name field, enabling an attacker to execute JavaScript in the context of the affected web interface. Reported across multiple sources (NVD en...

CVE-2021-46681

PT-2022-12901 (PT Security) provides concrete details for CVE-2021-46681: affected software Pandora FMS versions 756 and below with a Cross-Site Scripting vulnerability in the module massive operation name field that enables execution of JavaScript code. The report notes there is no information a...