PT-2022-12898 · Unknown · Pandora Fms

Name of the Vulnerable Software and Affected Versions: Pandora FMS versions prior to 756 Description: A XSS issue exists that allows an attacker to execute javascript code via the service name field. Recommendations: For versions prior to 756, update to a version above 756 to resolve the issue...

PT-2022-20575 · Jquery +5 · Jquery Ui +5

Name of the Vulnerable Software and Affected Versions: jQuery UI versions prior to 1.13.2 Moodle versions prior to 3.11.17-alt1 Description: jQuery UI, a collection of user interface interactions, effects, widgets, and themes built on jQuery, is susceptible to a cross-site scripting XSS issue...

CVE-2021-41420

A stored XSS vulnerability in MaianAffiliate v.1.0 allows an authenticated attacker for arbitrary JavaScript code execution in the context of authenticated and unauthenticated users through the MaianAffiliate admin panel...

GHSA-V3H2-4J2R-WQJ8 Ignite Realtime Openfire Server has Cross-site Scripting vulnerability in admin console

The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allows arbitrary client-side JavaScript code execution on victims who click a crafted setup/setup-host-settings.jsp?domain= link, aka XSS. Session ID and data theft may follow as well as the possibility of bypassing CSRF protection...

October CMS XSS

October CMS build 412 is vulnerable to stored XSS in brand logo image name resulting in JavaScript code execution in the victim's browser...

GHSA-3P6C-9XHM-8X7H October CMS XSS

October CMS build 412 is vulnerable to stored XSS in brand logo image name resulting in JavaScript code execution in the victim's browser...

CVE-2021-31674

Cyclos 4 PRO 4.14.7 and before does not validate user input at error inform, which allows remote unauthenticated attacker to execute javascript code via undefine enum constant...

GLPI Cross-Site Scripting Vulnerability (CNVD-2022-44239)

GLPI is an open source IT and asset management software from a personal developer. The software provides a full-featured IT resource management interface that you can use to build a database to fully manage IT computers, monitors, servers, printers, network devices, phones, even toner cartridges...

GHSA-QGPV-86R3-87FH Cross-site Scripting in Parsedown

Parsedown version prior to 1.7.0 contains a Cross Site Scripting XSS vulnerability in setMarkupEscaped for escaping HTML that can result in JavaScript code execution. This attack appears to be exploitable via specially crafted markdown that allows it to side step HTML escaping by breaking AST...

CVE-2022-24131

CVE-2022-24131 affects DouPHP v1.6 Release 20220121. The issue is a Cross Site Scripting (XSS) vulnerability in the backend via /admin/login.php that can lead to JavaScript code execution. Exploitation details, affected versions beyond the stated release, and remediation steps are not provided in...

CVE-2021-46387

CVE-2021-46387 affects ZyXEL ZyWALL 2 Plus Internet Security Appliance. The issue is a Cross-Site Scripting (XSS) vulnerability caused by insecure URI handling, enabling an attacker to execute arbitrary JavaScript in a user’s browser and potentially perform clipboard hijacking or session hijackin...

JetBrains YouTrack Cross-Site Scripting Vulnerability (CNVD-2022-20143)

JetBrains YouTrack is a browser-based bug tracking and project management software from JetBrains Czech Republic. A cross-site scripting vulnerability exists in versions prior to JetBrains YouTrack 2021.4.31698, which stems from a lack of data validation filtering of user-supplied data and output...

Mageia: Security Advisory (MGASA-2021-0390)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Unspecified Vulnerability in Plupload

Plupload is a cross-browser, multi-runtime file upload API. A security vulnerability exists in versions of plupload prior to 2.3.9 that allows an attacker to upload and run files containing JavaScript code...

CVE-2021-23673

This affects all versions of package pekeupload. If an attacker induces a user to upload a file whose name contains javascript code, the javascript code will be executed...

CVE-2021-25984 FactorJS - Stored Cross-Site Scripting (XSS) in Post Reply Functionality

In Factor App Framework & Headless CMS forum plugin, versions v1.3.3 to v1.8.30, are vulnerable to stored Cross-Site Scripting XSS at the “post reply” section. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies...

Cross site scripting

The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the...

Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)

Impact In certain configurations, Apollo Server serves the client-side web app "GraphQL Playground" from the same web server that executes GraphQL operations. This web app has access to cookies and other credentials associated with the web server's operations. There is a cross-site scripting...

CVE-2021-39906

Removed by vendor...

Mozilla Firefox < 94.0

The version of Firefox installed on the remote Windows host is prior to 94.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2021-48 advisory. - The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such...