Kirby vulnerable to Cross-site scripting (XSS) in the link field "Custom" type

TL;DR This vulnerability affects Kirby sites that use the new link field and output the entered link without additional validation or sanitization. The attack commonly requires user interaction by another user or visitor. The link dialog of the writer field is not affected as the writer field...

Cross site scripting

IBM Cognos Analytics 11.1.7, 11.2.4, and 12.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...

CKEditor cross-site scripting vulnerability (CNVD-2024-09867)

CKEditor is an open source, web-based text editor. A cross-site scripting vulnerability exists in CKEditor4, which stems from the presence of a cross-site scripting vulnerability that can be exploited by an attacker to execute JavaScript code by abusing a misconfigured preview function...

Cross site scripting

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 256544...

CVE-2024-26311

Archer Platform 6.x before 6.14 P2 HF1 6.14.0.2.1 contains a reflected XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this by tricking a victim application user into supplying malicious JavaScript code to the vulnerable web application. This code is then...

OpenOLAT 18.1.5 Cross Site Scripting / Privilege Escalation

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple Stored Cross-Site Scripting Vulnerabilities product: OpenOLAT Frentix GmbH vulnerable version: = 18.1.4 and = 18.1.5 fixed version: 18.1.6 / 18.2 CVE number:...

CVE-2024-26311

Archer Platform 6.x before 6.14 P2 HF1 6.14.0.2.1 contains a reflected XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this by tricking a victim application user into supplying malicious JavaScript code to the vulnerable web application. This code is then...

CVE-2024-26135 MeshCentral cross-site websocket hijacking (CSWSH) vulnerability

MeshCentral is a full computer management web site. Versions prior to 1.1.21 a cross-site websocket hijacking CSWSH vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The vulnerability is...

CVE-2024-21678

This High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center. This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to...

CVE-2024-25973

The Frentix GmbH OpenOlat LMS is affected by multiple stored Cross-Site Scripting XSS vulnerabilities. An attacker with rights to create or edit groups can create a course with a name that contains an XSS payload. Furthermore, attackers with the permissions to create or rename a catalog...

CVE-2024-25973 Multiple Stored Cross-Site Scripting Vulnerabilities

The Frentix GmbH OpenOlat LMS is affected by multiple stored Cross-Site Scripting XSS vulnerabilities. An attacker with rights to create or edit groups can create a course with a name that contains an XSS payload. Furthermore, attackers with the permissions to create or rename a catalog...

Cross Site Scripting (XSS)

@scrypted/core and @scrypted/server are vulnerable to Cross Site Scripting. The vulnerability is due to insufficient input validation on the login page, allowing attackers to execute arbitrary JavaScript code after the login process...

Cross-Site Scripting (XSS)

sidekiq-unique-jobs is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper parameter sanitization within GET request to the admin webUI. This allows an attacker with super-user permission to execute arbitrary JavaScript code in the browser...

Statamic CMS Cross Site Scripting

SEC Consult Vulnerability Lab Security Advisory ======================================================================= title: Multiple Stored Cross-Site Scripting vulnerabilities product: Statamic CMS vulnerable version: =4.46.0, =3.4.17 CVE number: CVE-2024-24570 impact: high homepage:...

CVE-2023-48432

An issue was discovered in Zimbra Collaboration ZCS 8.8.15, 9.0, and 10.0. XSS, with resultant session stealing, can occur via JavaScript code in a link for a webmail redirection endpoint within en email message, e.g., if a victim clicks on that link within Zimbra webmail...

Cross-site Scripting (XSS)

ghost is vulnerable to Cross-Site Scripting. The vulnerability is due to missing santization during svg image upload. An attacker can upload a SVG profile picture containing JavaScript code which interacts with the API on localhost TCP port 3001, allowing a contributor to potentially take over an...

Ghost has possible Cross-site Scripting issue

Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view th...

CVE-2024-23724

Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view th...

CVE-2024-23724

Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view th...

Cross site scripting

Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view th...