4739 matches found
couchdb -- user privilege escalation
Cory Sabol reports: A malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will ...
Cross-site Scripting (XSS) - Reflected in forkcms/forkcms
✍️ Description The forkcms is vulnerable to XSS through the search form 🕵️♂️ Proof of Concept 1. Go to http://site.com/search?form=search&qwidget=%22%3E%3Csvg/onload=alertdocument.domain%3E 2. XSS payload will be executed 💥 Impact An attacker can execute JavaScript code in the website...
engineercms cross-site scripting vulnerability
engineercms is an open source engineer knowledge management system . Specifically for civil engineers to create a suitable web-based knowledge management system . It can be used to manage both individual project information , but also for managing project team information ; it can run on both...
Cross site scripting
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.8 does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high privilege users to use JavaScript code in it, even when the unfilteredhtml capability is disallowed, leading to an...
Improper Privilege Management in amirsanni/mini-inventory-and-sales-management-system
💥 BUG unprivileged user can add item 💥 STEP TO REPDOUCE 1. From admin account goto https://1410inc.xyz/mini-inventory-and-sales-management-system/administrators and add new user callled user-B with basic role .\ So, user-B cant add new item.\ 2. Now goto user-B account and here user-B cant see...
CVE-2021-36605
engineercms 1.03 is vulnerable to Cross Site Scripting XSS. There is no escaping in the nickname field on the user list page. When viewing this page, the JavaScript code will be executed in the user's browser...
CVE-2021-36605
engineercms 1.03 is vulnerable to Cross Site Scripting XSS. There is no escaping in the nickname field on the user list page. When viewing this page, the JavaScript code will be executed in the user's browser...
IBM Jazz Foundation Cross-Site Scripting Vulnerability
IBM Jazz Foundation is a next-generation collaboration platform for software delivery technologies from IBM. IBM Jazz Foundation has a cross-site scripting vulnerability that could allow a remote attacker to embed arbitrary JavaScript code in the Web UI to alter the intended functionality,...
Cross site scripting
IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192957...
CVE-2020-5004
IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192957...
EVlink City, EVlink Parking, EVlink Smart Wallbox Information Disclosure Vulnerability
Schneider Electric EVlink City and others are a charging solution for electric vehicle charging stations from Schneider Electric France. EVlink City, EVlink Parking, and EVlink Smart Wallbox have an information disclosure vulnerability that The vulnerability stems from the fact that when maliciou...
Cross site scripting
Affected versions of this package are vulnerable to Cross-site Scripting XSS via the main functionality. It accepts input that can result in the output an anchor a tag containing undesirable Javascript code that can be executed upon user interaction...
Information disclosure
A CWE-200: Information Exposure vulnerability exists in EVlink City EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1, EVlink Parking EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1, and EVlink Smart Wallbox EVB1A all versions prior to R8 V3.4.0.1 that could allow an attacker to get...
EVlink City、EVlink Parking和EVlink Smart Wallbox 信息泄露漏洞
Schneider Electric EVlink City and others are a charging solution for electric vehicle charging stations from Schneider Electric France. EVlink City, EVlink Parking, and EVlink Smart Wallbox have an information disclosure vulnerability that The vulnerability stems from the fact that when maliciou...
CVE-2021-20507
IBM Jazz Foundation and IBM Engineering products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID...
Advantech R-SeeNet Cross-Site Scripting Vulnerability (CNVD-2021-57184)
Advantech R-SeeNet is an industrial monitoring software from Advantech, Taiwan, China. The software is based on the snmp protocol for monitoring platforms and is available for Linux and Windows platforms.A cross-site scripting vulnerability exists in the devicegraphpage.php script function of...
Advantech R-SeeNet Cross-Site Scripting Vulnerability (CNVD-2021-57185)
Advantech R-SeeNet is an industrial monitoring software from Advantech, Taiwan, China. The software is based on the snmp protocol for monitoring platforms and is available for Linux and Windows platforms.A cross-site scripting vulnerability exists in the devicegraphpage.php script function of...
Photo Gallery < 1.5.79 - Stored XSS via Uploaded SVG in Zip
The plugin did not ensure that uploaded SVG files inside a Zipped archive added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly ie in the...
Photo Gallery < 1.5.75 - Stored Cross-Site Scripting via Uploaded SVG
The plugin did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly ie in the...
CVE-2021-21800
Cross-site scripting vulnerabilities exist in the sshform.php script functionality of Advantech R-SeeNet v 2.4.12 20.10.2020. If a user visits a specially crafted URL, it can lead to arbitrary JavaScript code execution in the context of the targeted user’s browser. An attacker can provide a craft...