4739 matches found
Design/Logic Flaw
This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded a user needs to be tricked into uploading such a file...
CVE-2021-23439 Cross-site Scripting (XSS)
This affects the package file-upload-with-preview before 4.2.0. A file containing malicious JavaScript code in the name can be uploaded a user needs to be tricked into uploading such a file...
XSS vulnerability on password reset page
Impact For Mautic versions prior to 3.3.4, there is an XSS vulnerability on Mautic's password reset page where a vulnerable parameter, "bundle," in the URL could allow an attacker to execute Javascript code. The attacker would be required to convince or trick the target into clicking a password...
CVE-2021-29852
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 205528...
Cross-site Scripting (XSS) - Stored in zmister2016/mrdoc
✍️ Description Stored xss bug allow to execute arbitary javascript code in vicitm account 🕵️♂️ Proof of Concept 1. First create a document and put bellow xss payload inside document content .\ xss"''\ 2. Now any user view this document project then xss is executed VIDEO POC --...
GHSA-GX5W-RRHP-F436 XSS in mdBook
This is a cross-post of the official security advisoryml. The official post contains a signed version with our PGP key, as well. ml: https://groups.google.com/g/rustlang-security-announcements/c/3-sO6of29O0 The Rust Security Response Working Group was recently notified of a security issue affecti...
CVE-2021-30862
A validation issue was addressed with improved input sanitization. This issue is fixed in iTunes U 3.8.3. Processing a maliciously crafted URL may lead to arbitrary javascript code execution...
Input validation
A validation issue was addressed with improved input sanitization. This issue is fixed in iTunes U 3.8.3. Processing a maliciously crafted URL may lead to arbitrary javascript code execution...
CVE-2021-30862
CVE-2021-30862 affects Apple iTunes U prior to version 3.8.3. It is due to a validation/input sanitization issue that can allow processing of a malicious URL to trigger arbitrary JavaScript code execution. Apple patched this in iTunes U 3.8.3 (HT212809). The vulnerability impacts the iTunes U com...
Cross-site Scripting (XSS) - Stored in yourls/yourls
✍️ Description stored xss 🕵️♂️ Proof of Concept plz check this 1 minute video to reproduce the bug https://drive.google.com/file/d/1MHQSKVczRNwDC8S6xKuedjMNcQw8YOz5/view?usp=sharing 💥 Impact Stored xss allow to executed arbitary javascript code...
rConfig Cross-Site Scripting Vulnerability (CNVD-2021-102379)
rConfig is an open source network configuration management utility. rConfig version 3.9.5 contains a cross-site scripting vulnerability that can be exploited by remote attackers to execute arbitrary JavaScript code by entering a specific payload and saving it...
Command Injection
CKEditor 4 Fake Objects is vulnerable to command injection vulnerability. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code...
CVE-2021-24410 Telugu Bible Verse Daily <= 1.0 - CSRF to Stored XSS
The తెలుగు బైబిల్ వచనములు WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses...
Email Artillery <= 4.1 - CSRF to Stored XSS
The plugin does not sanitise, validate or escape its settings, and is lacking any CSRF check before saving them. As a result, an attacker could make a logged in admin change them and put malicious JavaScript code as well, leading to Stored Cross-Site Scripting issues. PoC...
Cross-site Scripting (XSS) - Stored in ampache/ampache
✍️ Description This is a stored XSS in the mp3 management library. 🕵️♂️ Proof of Concept 1. Edit meta data with Audacity: 2. Create a new playlist that contains this file. 3. Vote an album 1 and then open "Informations" - "Most rated" 2: 💥 Impact By uploading an mp3 with javascript code into meta...
Cross-site Scripting (XSS) - Stored in ampache/ampache
✍️ Description This is a stored XSS in the mp3 management library. 🕵️♂️ Proof of Concept 1. Edit meta data with Audacity: 2. Create a new playlist that contains this file. 3. Open "New" 1 under "Information" menu: 💥 Impact By uploading an mp3 with javascript code into meta tag could permit an...
CVE-2021-37695
ckeditor is an open source WYSIWYG HTML editor with rich content support. A potential vulnerability has been discovered in CKEditor 4 Fake Objects package. The vulnerability allowed to inject malformed Fake Objects HTML, which could result in executing JavaScript code. It affects all users using...
CVE-2021-32808
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing...
CVE-2021-32808
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing...
CVE-2021-32808 Cross-site scripting in ckeditor via abuse of undo functionality
ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing...