4739 matches found
CVE-2021-26596
An issue was discovered in Nokia NetAct 18A. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that...
Code injection
An issue was discovered in Nokia NetAct 18A. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that...
CVE-2021-26596
The CVE-2021-26596 entry concerns Nokia NetAct 18A. A vulnerability exists where a malicious user can change the filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim’s web browser. The attack is typically delivered by placing the malicious content...
pki-core: Stored XSS in TPS profile creation
A flaw was found in the pki-core's Token Processing Service TPS where it did not properly sanitize Profile IDs, enabling a Stored Cross-Site Scripting XSS vulnerability when the profile ID is printed. An attacker with sufficient permissions could trick an authenticated victim into executing a...
Cross-site Scripting (XSS)
eZ Platform Kernel is vulnerable to Cross-site Scripting XSS. An attacker is able to inject and execute arbitrary Javascript code in a user's browser by uploading malicious .html and .js files...
Eclipse Theia Injection Vulnerability
Eclipse Theia is the Eclipse Foundation's set of Visual Studio Code-based open source integrated development environment for desktop and Web applications framework. An injection vulnerability exists in Eclipse Theia 0.16.0 and earlier versions, which stems from the absence of HTML escaping in...
MyBB 未授权RCE漏洞(CVE-2021-27889 CVE-2021-27890)
MyBB Remote Code Execution Chain BY SIMON SCANNELL & CARL SMITH Today SonarSource is pleased to share with you a guest contribution to our Code Security blog series. The following blog post is authored by Simon Scannell and Carl Smith -two independent security researchers- joining us in sharing...
CVE-2021-24136
Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location ...
Cross site scripting
Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting XSS vulnerabilities allowing low-privileged users Contributor+ to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Pan...
CVE-2021-24136 Testimonials Widget < 4.0.0 - Multiple Authenticated Stored XSS
Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location ...
Flo Forms < 1.0.36 - Authenticated Options Change to Stored XSS
The plugin was being actively exploited, allowing low privilege users to use the floimportformsoptions AJAX action to import new options and inject malicious JavaScript code in the backend...
CVE-2021-28162
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run...
CVE-2021-28161
In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected...
CVE-2021-28162
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run...
Design/Logic Flaw
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run...
CVE-2021-28162
In Eclipse Theia versions up to and including 0.16.0, in the notification messages there is no HTML escaping, so Javascript code can run...
CVE-2021-28161
In Eclipse Theia versions up to and including 1.8.0, in the debug console there is no HTML escaping, so arbitrary Javascript code can be injected...
CVE-2021-28161
The CVE-2021-28161 entry concerns Eclipse Theia prior to or including version 1.8.0, where the debug console does not escape HTML. This lack of escaping enables injection of arbitrary JavaScript code through the console, constituting a cross-site scripting risk. The vulnerability is tied to Theia...
IBM Tivoli Netcool/OMNIbus_GUI cross-site scripting vulnerability (CNVD-2021-17193)
IBM Tivoli Netcool/OMNIbusGUI is a graphical user interface for the IBM Tivoli Netcool/OMNIbus service level management system from IBM USA. A security vulnerability exists in IBM Tivoli Netcool/OMNIbusGUI that allows a user to embed arbitrary JavaScript code in the Web UI that could change the...
Cross-Site Scripting (XSS)
apache superset is vulnerable to cross-site scripting XSS. An attacker is able to inject and execute arbitrary Javascript code in a user's browser by creating a div section embedded with a malicious svg element...