PT-2024-66: Unauthorized Reflected XSS in PhpSpreadsheet (Currency.php)

The vulnerability was identified in PhpSpreadsheet, versions = 3.0.0, = 2.0.0, = 2.2.0, = 3.0.0, = 2.0.0, = 2.2.0, = 2.3.4 to 2.3.5 or higher Additional information: Researcher: Aleksey Solovev Positive Technologies...

GHSA-G2VG-8HFG-79VJ Koji Cross-site Scripting

A vulnerability in Koji was found. An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the resulting web page. It is not expected to be able to submit an action or make a change in Koji due to existing XSS protections in the code...

CVE-2024-9427

A vulnerability in Koji was found. An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the resulting web page. It is not expected to be able to submit an action or make a change in Koji due to existing XSS protections in the code...

CVE-2024-9427 Koji: escape html tag characters in the query string

A vulnerability in Koji was found. An unsanitized input allows for an XSS attack. Javascript code from a malicious link could be reflected in the resulting web page. It is not expected to be able to submit an action or make a change in Koji due to existing XSS protections in the code...

CVE-2024-56364 Cross-site Scripting vulnerability in SimpleXLSXEx::readThemeColors, SimpleXLSXEx::getColorValue and SimpleXLSX::toHTMLEx

SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in 1.0.12 and ending in 1.1.13, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. This vulnerability is fixed in 1.1.13...

CVE-2024-56364

CVE-2024-56364 affects the SimpleXLSX PHP library. From versions 1.0.12 through 1.1.13, calling the extended toHTMLEx method could allow execution of arbitrary JavaScript, via the toHTMLEx component. The vulnerability is mitigated by upgrading to version 1.1.13 or newer, which contains the fix. R...

Amazon Linux 2 : gnome-shell (ALAS-2024-2714)

The version of gnome-shell installed on the remote host is prior to 3.28.3-34. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2714 advisory. In GNOME Shell through 45.7, a portal helper can be launched automatically without user confirmation based on network respons...

CVE-2024-55342

A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /manager/media. This PDF can contain malicious JavaScript code, which is executed when a victim user opens or interacts with the PDF in their web browser, leading to a XSS...

CVE-2021-20553

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2021-20553 IBM Sterling B2B Integrator Standard Edition cross-site scripting

IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.1.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2024-55239

A reflected Cross-Site Scripting vulnerability in the standard documentation upload functionality in Portabilis i-Educar 2.9 allows attacker to craft malicious urls with arbitrary javascript in the 'titulodocumento' parameter...

Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks

A new phishing campaign has been observed employing tax-themed lures to deliver a stealthy backdoor payload as part of attacks targeting Pakistan. Cybersecurity company Securonix, which is tracking the activity under the name FLUXCONSOLE , said it likely starts with a phishing email link or...

BIT-NODE-MIN-2023-39333

Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability...

CVE-2024-55878 Cross-site Scripting vulnerability in SimpleXLSXEx::readXfs and SimpeXLSX::toHTMLEx

SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in version 1.0.12 and prior to version 1.1.12, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. Version 1.1.12 fixes the issue. As a workaround, don't use direct...

CVE-2024-54043

Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the...

CVE-2024-47117

IBM Carbon Design System Carbon Charts 0.4.0 through 1.13.16 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a...

CVE-2024-47117

The CVE-2024-47117 entry concerns IBM Carbon Design System (Carbon Charts) with versions 0.4.0–1.13.16 affected by cross-site scripting. The root cause is improper handling/sanitization of user-provided HTML, enabling an authenticated user to embed arbitrary JavaScript in the Web UI, potentially ...

CVE-2024-47117 IBM Carbon Design System cross-site scripting

IBM Carbon Design System Carbon Charts 0.4.0 through 1.13.16 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a...

CVE-2024-47117 IBM Carbon Design System cross-site scripting

IBM Carbon Design System Carbon Charts 0.4.0 through 1.13.16 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a...

U.S. Dept Of Defense: XSS vulnerability found in javascript code of https://███.mil

The XSS vulnerability was found in the JavaScript code of the website https://███.mil. The parameter "code" was not sufficiently sanitized, allowing the injection of malicious code. This vulnerability could have been exploited to execute arbitrary scripts in the context of the affected website...