Arbitrary Code Execution

org.openrefine.dependencies, butterfly is vulnerable to Arbitrary Code Execution. The vulnerability is due to improper input handling in the Butterfly.prototype.parseJSON or getJSON functions, allowing crafted input to execute arbitrary JavaScript code on the server...

Important: Red Hat Security Advisory: webkit2gtk3 security update

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Important: Red Hat Security Advisory: webkit2gtk3 security update

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available...

CVE-2024-47880 OpenRefine has a reflected cross-site scripting vulnerability from POST request in ExportRowsCommand

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page th...

CVE-2024-47878

OpenRefine before 3.8.3 exposes the state parameter in a [removed] tag via the /extension/gdata/authorized endpoint, enabling reflected XSS (CVE-2024-47878). The issue arises from verbatim inclusion without escaping, allowing an attacker to craft a URL that executes JavaScript in a victim’s brows...

CVE-2024-47878 Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the /extension/gdata/authorized endpoint includes the state GET parameter verbatim in a tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing...

CVE-2024-47878

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the /extension/gdata/authorized endpoint includes the state GET parameter verbatim in a tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing...

OpenRefine has a reflected cross-site scripting vulnerability (XSS) from POST request in ExportRowsCommand

Summary The export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then ...

GHSA-79JV-5226-783F OpenRefine has a reflected cross-site scripting vulnerability (XSS) from POST request in ExportRowsCommand

Summary The export-rows command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then ...

CVE-2024-10332

A Cross-Site Scripting vulnerability has been found in Janto v4.3r11 from Impronta. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the endpoint “/abonados/public/janto/main.php”...

CVE-2024-49210

Reflected XSS was discovered in an iView List Archer Platform UX page in Archer Platform 6.x before version 2024.09. A remote unauthenticated attacker could potentially exploit this by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web...

Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials

Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. Russian cybersecurity company Positive Technologies said it discovered last month an email that...

CVE-2024-10099 Stored XSS in comfyanonymous/comfyui

A stored cross-site scripting XSS vulnerability exists in comfyanonymous/comfyui version 0.2.2 and possibly earlier. The vulnerability occurs when an attacker uploads an HTML file containing a malicious XSS payload via the /api/upload/image endpoint. The payload is executed when the file is viewe...

CVE-2024-10099 Stored XSS in comfyanonymous/comfyui

A stored cross-site scripting XSS vulnerability exists in comfyanonymous/comfyui version 0.2.2 and possibly earlier. The vulnerability occurs when an attacker uploads an HTML file containing a malicious XSS payload via the /api/upload/image endpoint. The payload is executed when the file is viewe...

IBM WebSphere Application Server Cross-Site Scripting Vulnerability (CNVD-2024-43188)

IBM WebSphere Application Server WAS is an application server product from International Business Machines IBM. The product is a platform for JavaEE and Web services applications and is the foundation of the IBM WebSphere software platform. A cross-site scripting vulnerability exists in IBM...

Esri Portal For ArcGIS Cross-Site Scripting Vulnerability (CNVD-2024-41007)

Esri Portal For ArcGIS is a component from Environmental Systems Research Institute Esri that allows maps, scenes, applications, and other geographic information to be shared with others within an organization. A cross-site scripting vulnerability exists in Esri Portal For ArcGIS, which can be...

Esri Portal For ArcGIS Cross-Site Scripting Vulnerability (CNVD-2024-41008)

Esri Portal For ArcGIS is a component from Environmental Systems Research Institute Esri that allows maps, scenes, applications, and other geographic information to be shared with others within an organization. Esri Portal For ArcGIS suffers from a cross-site scripting vulnerability that can be...

CVE-2023-32192

A vulnerability has been identified in which unauthenticated cross-site scripting XSS in the API Server's public API endpoint can be exploited, allowing an attacker to execute arbitrary JavaScript code in the victim browser...

CVE-2023-32192 Rancher API Server Cross-site Scripting Vulnerability

A vulnerability has been identified in which unauthenticated cross-site scripting XSS in the API Server's public API endpoint can be exploited, allowing an attacker to execute arbitrary JavaScript code in the victim browser...

CVE-2023-32192 Rancher API Server Cross-site Scripting Vulnerability

A vulnerability has been identified in which unauthenticated cross-site scripting XSS in the API Server's public API endpoint can be exploited, allowing an attacker to execute arbitrary JavaScript code in the victim browser...