XMB 1.9.12.06 Cross Site Scripting

Exploit Title: Persistent XSS in XMB 1.9.12.06 Date: 06/12/2024 Exploit Author: Chokri Hammedi Vendor Homepage: https://www.xmbforum2.com/ Software Link: https://www.xmbforum2.com/download/XMB-1.9.12.06.zip Version: 1.9.12.06 Tested on: Windows XP CVE: N/A Vulnerability Details A persistent store...

ghtml Cross-Site Scripting (XSS) vulnerability

Summary It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting XSS vulnerability in some cases. Actions Taken - Updated the documentation to clarify that while ghtml escapes characters with special meaning in HTML, it does not provide comprehensive protecti...

Withdrawn Advisory: lunary-ai/lunary XSS in SAML metadata endpoint

Withdrawn Advisory This advisory has been withdrawn because the lunary npm package is connected to https://github.com/lunary-ai/lunary-js, not the https://github.com/lunary-ai/lunary repo that is discussed in this advisory. The underlying vulnerability report is still valid, but it doesn't affect...

GHSA-RPX8-FG6W-RM6X Withdrawn Advisory: lunary-ai/lunary XSS in SAML metadata endpoint

Withdrawn Advisory This advisory has been withdrawn because the lunary npm package is connected to https://github.com/lunary-ai/lunary-js, not the https://github.com/lunary-ai/lunary repo that is discussed in this advisory. The underlying vulnerability report is still valid, but it doesn't affect...

CVE-2024-5478

A Cross-site Scripting XSS vulnerability exists in the SAML metadata endpoint /auth/saml/$org?.id/metadata of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the orgId parameter supplied by the user before incorporating it into the...

CVE-2024-3402 Stored XSS vulnerability in gaizhenbiao/chuanhuchatgpt

A stored Cross-Site Scripting XSS vulnerability existed in version 20240121 of gaizhenbiao/chuanhuchatgpt due to inadequate sanitization and validation of model output data. Despite user-input validation efforts, the application fails to properly sanitize or validate the output from the model,...

CVE-2024-3402 Stored XSS vulnerability in gaizhenbiao/chuanhuchatgpt

A stored Cross-Site Scripting XSS vulnerability existed in version 20240121 of gaizhenbiao/chuanhuchatgpt due to inadequate sanitization and validation of model output data. Despite user-input validation efforts, the application fails to properly sanitize or validate the output from the model,...

CVE-2024-3166 Cross-Site Scripting (XSS) Vulnerability in mintplex-labs/anything-llm

A Cross-Site Scripting XSS vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, whic...

CVE-2024-3166

Summary: CVE-2024-3166 affects mintplex-labs/anything-llm, including desktop v1.2.0 to v1.4.1 and the web app. The vulnerability is an XSS in the feature that fetches and embeds external website content into workspaces, with a route to Remote Code Execution in the desktop app due to Electron sett...

CVE-2024-5478 Cross-site Scripting (XSS) in SAML metadata endpoint in lunary-ai/lunary

A Cross-site Scripting XSS vulnerability exists in the SAML metadata endpoint /auth/saml/$org?.id/metadata of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the orgId parameter supplied by the user before incorporating it into the...

CVE-2024-3110 Stored XSS leading to admin account takeover in mintplex-labs/anything-llm

A stored Cross-Site Scripting XSS vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them...

Cross-site Scripting (XSS)

activeadmin is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of user input in dynamic legends, which allows for the injection of arbitrary JavaScript code when creating entities with names that include a script payload...

IBM Planning Analytics Cross-Site Scripting Vulnerability (CNVD-2024-26495)

IBM Planning Analytics is a suite of business planning analytics solutions from International Business Machines IBM. The solution supports automated execution of processes such as business planning, budgeting and analysis. A cross-site scripting vulnerability exists in IBM Planning Analytics Loca...

IBM Planning Analytics Local Cross-Site Scripting Vulnerability

IBM Planning Analytics is a suite of business planning analytics solutions from International Business Machines IBM. The solution supports automated execution of processes such as business planning, budgeting and analysis. A cross-site scripting vulnerability exists in IBM Planning Analytics Loca...

Cross-site Scripting (XSS)

SimpleSAMLphp is vulnerable to Cross-site Scripting XSS. The vulnerability is due to unvalidated metadata endpoints, allowing malicious parties to substitute URLs with JavaScript code, leading to execution of the code in the user's browser if strict Content Security Policies are not enforced...

Beware: Fake Browser Updates Deliver BitRAT and Lumma Stealer Malware

Fake web browser updates are being used to deliver remote access trojans RATs and information stealer malware such as BitRAT and Lumma Stealer aka LummaC2. "Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware,"...

The vulnerability of the Ghost content management system, related to the lack of measures taken to protect the website structure, allows attackers to carry out XSS attacks.

The vulnerability of the Ghost content management system is related to the lack of measures taken to protect the website structure. Exploiting this vulnerability allows a malicious actor to carry out XSS attacks by sending a specially created malicious SVG file containing JavaScript code to port...

CVE-2024-32877 Reflected Cross-site Scripting in yiisoft/yii2 Debug mode

Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 2.0.49.3. This issue lies in the mechanism for...

CVE-2024-32877 Reflected Cross-site Scripting in yiisoft/yii2 Debug mode

Yii 2 is a PHP application framework. During internal penetration testing of a product based on Yii2, users discovered a Cross-site Scripting XSS vulnerability within the framework itself. This issue is relevant for the latest version of Yii2 2.0.49.3. This issue lies in the mechanism for...

GHSA-VG6X-PCHQ-98MG OpenCMS Cross-Site Scripting vulnerability

Two Cross-Site Scripting vulnerabilities have been discovered in Alkacon's OpenCMS affecting version 16, which could allow a user: with sufficient privileges to create and modify web pages through the admin panel, can execute malicious JavaScript code, after inserting code in the title field...