USN-4620-1: phpLDAPadmin vulnerability

It was discovered that phpLDAPadmin didn't properly sanitize before being echoed to the user. A remote attacker could inject arbitrary HTML/Javascript code in a user's context and cause a crash, resulting in denial of service or potential execution of arbitrary code...

CVE-2020-26211

In BookStack before version 0.30.4, a user with permissions to edit a page could insert JavaScript code through the use of javascript: URIs within a link or form which would run, within the context of the current page, when clicked or submitted. Additionally, a user with permissions to edit a pag...

Cross site scripting

On BIG-IP ASM 15.1.0-15.1.0.5, a cross-site scripting XSS vulnerability exists in the BIG-IP ASM Configuration utility response and blocking pages. An authenticated user with administrative privileges can specify a response page with any content, including JavaScript code that will be executed wh...

CVE-2020-9860

CVE-2020-9860 affects Safari on macOS (and WebKit components) prior to version 13.0.5. The root cause is improper input validation in the handling of custom URL schemes, which could allow a malicious URL to trigger arbitrary JavaScript execution. Apple’s fix is to address this input validation is...

Facebook, News and XSS Underpin Complex Browser Locker Attack

A sophisticated “browser locker” campaign is spreading via Facebook, ultimately pushing a tech-support scam. The effort is more advanced than most, because it involves exploiting a cross-site scripting XSS vulnerability on a popular news site, researchers said. Browser lockers are a type of...

Stock Management System 1.0 - 'Product Name' Persistent Cross-Site Scripting

Exploit Title: Stock Management System 1.0 - Persistent Cross-Site Scripting Product Name Exploit Author: Adeeb Shah @hyd3sec Date: August 2, 2020 Vendor Homepage: https://www.sourcecodester.com/ Software Link: https://www.sourcecodester.com/php/14366/stock-management-system-php.html Version: 1.0...

CVE-2020-4564

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.3.1 and IBM Sterling File Gateway 2.2.0.0 through 6.0.3.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially...

CVE-2020-7747

This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller...

Spoofing

An issue was discovered in Sage DPW 202006x before 202006002. It allows unauthenticated users to upload JavaScript in a file via the expenses claiming functionality. However, to view the file, authentication is required. By exploiting this vulnerability, an attacker can persistently include...

Design/Logic Flaw

An issue was discovered in Sage DPW 202006x before 202006002. The search field "Kurs suchen" on the page Kurskatalog is vulnerable to Reflected XSS. If the attacker can lure a user into clicking a crafted link, he can execute arbitrary JavaScript code in the user's browser. The vulnerability can ...

CVE-2020-26584

An issue was discovered in Sage DPW 202006x before 202006002. The search field "Kurs suchen" on the page Kurskatalog is vulnerable to Reflected XSS. If the attacker can lure a user into clicking a crafted link, he can execute arbitrary JavaScript code in the user's browser. The vulnerability can ...

CVE-2020-26583

An issue was discovered in Sage DPW 202006x before 202006002. It allows unauthenticated users to upload JavaScript in a file via the expenses claiming functionality. However, to view the file, authentication is required. By exploiting this vulnerability, an attacker can persistently include...

Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-4557

Summary IBM Business Process Manager and IBM Business Automation Workflow are vulnerable to a cross-site scripting attack. Vulnerability Details CVEID: CVE-2020-4557 DESCRIPTION: IBM Business Automation Workflow and IBM Business Process Manager is vulnerable to cross-site scripting. This...

CVE-2020-4679

IBM Security Guardium 11.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186424...

CVE-2020-4681

IBM Security Guardium 11.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 186427...

Cross site scripting

A stored cross-site scripting XSS vulnerability exists in the SonicOS SSLVPN web interface. A remote unauthenticated attacker is able to store and potentially execute arbitrary JavaScript code in the firewall SSLVPN portal. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen ...

SonicOS SSLVPN Stored cross-site scripting (XSS) vulnerability

A stored cross-site scripting XSS vulnerability exists in the SonicOS SSLVPN web interface. A remote unauthenticated attacker is able to store and potentially execute arbitrary JavaScript code in the firewall SSLVPN portal. This vulnerability affected SonicOS Gen 5 version 5.9.1.7, 5.9.1.13, Gen ...

Autoptimize < 2.7.8 - Authenticated Stored XSS via File Upload

The plugin does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html...

CVE-2020-26574

Leostream Connection Broker 8.2.x is affected by stored XSS. An unauthenticated attacker can inject arbitrary JavaScript code via the webquery.pl User-Agent HTTP header. It is rendered by the admins the next time they log in. The JavaScript injected can be used to force the admin to upload a...

Cross site scripting

Leostream Connection Broker 8.2.x is affected by stored XSS. An unauthenticated attacker can inject arbitrary JavaScript code via the webquery.pl User-Agent HTTP header. It is rendered by the admins the next time they log in. The JavaScript injected can be used to force the admin to upload a...