CVE-2024-22876

StrangeBee TheHive 5.1.0 to 5.1.9 and 5.2.0 to 5.2.8 is vulnerable to Cross Site Scripting XSS in the case attachment functionality which enables an attacker to upload a malicious HTML file with Javascript code that will be executed in the context of the The Hive application using a specific URL...

CVE-2024-22414

flaskBlog is a simple blog app built with Flask. Improper storage and rendering of the /user/ page allows a user's comments to execute arbitrary javascript code. The html template user.html contains the following code snippet to render comments made by a user: comment2|safe. Use of the "safe" tag...

Cross site scripting

Avo is a framework to create admin panels for Ruby on Rails apps. A stored cross-site scripting XSS vulnerability was found in the keyvalue field of Avo v3.2.3 and v2.46.0. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. The value of the...

avo vulnerable to stored cross-site scripting (XSS) in key_value field

Summary A stored cross-site scripting XSS vulnerability was found in the keyvalue field of Avo v3.2.3. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. Details The value of the keyvalue is inserted directly into the HTML code. In the current...

avo vulnerable to stored cross-site scripting (XSS) in key_value field

Summary A stored cross-site scripting XSS vulnerability was found in the keyvalue field of Avo v3.2.3. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the victim's browser. Details The value of the keyvalue is inserted directly into the HTML code. In the current...

USN-6038-2: Go vulnerabilities

USN-6038-1 fixed several vulnerabilities in Go 1.18. This update provides the corresponding updates for Go 1.13 and Go 1.16. CVE-2022-29526 and CVE-2022-30630 only affected Go 1.16. Original advisory details: It was discovered that the Go net/http module incorrectly handled Transfer-Encoding...

CVE-2023-47882

The Kami Vision YI IoT com.yunyi.smartcamera application through 4.1.920231127 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yicamera.activity.WebViewActivity component...

CVE-2023-47883

The CVE-2023-47883 issue affects the com.altamirano.fabricio.tvbrowser TV browser app for Android (versions through 4.5.1). Affected component: MainActivity exposed to an explicit intent, enabling JavaScript code execution. Impact is high (CVE scoring shows critical severity, vector: network, no ...

CVE-2023-47883

The com.altamirano.fabricio.tvbrowser TV browser application through 4.5.1 for Android is vulnerable to JavaScript code execution via an explicit intent due to an exposed MainActivity...

CVE-2021-38927 IBM Aspera Console cross-site scripting

IBM Aspera Console 3.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 210322...

CVE-2023-50924 Stored XSS in Overview and Output fields

Englesystem is a shift planning system for chaos events. Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the...

CVE-2023-49086

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database TSDB. A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an...

CVE-2023-49086

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database TSDB. A vulnerability in versions prior to 1.2.27 bypasses an earlier fix for CVE-2023-39360, therefore leading to a DOM XSS attack. Exploitation of the vulnerability is possible for an...

Cross site scripting

IBM Security Guardium Key Lifecycle Manager 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...

CVE-2023-47620

Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior, a reflected cross-site scripting vulnerability exists in the plugin-http.ts file via the owner' and 'pkg parameters. An attacker can run arbitrary JavaScript code...

CVE-2023-47623

Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior, a reflected cross-site scripting vulnerability exists in the login page via the redirecturi parameter. By specifying a url with the javascript scheme javascript:, an attacker can run arbitrary JavaScript...

CVE-2023-47620 Scrypted reflected Cross-site Scripting vulnerability

Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior, a reflected cross-site scripting vulnerability exists in the plugin-http.ts file via the owner' and 'pkg parameters. An attacker can run arbitrary JavaScript code...

Siemens User Management Component (UMC) Cross-Site Scripting Vulnerability

Opcenter Quality is a quality management system QMS that enables organizations to safeguard compliance, optimize quality, reduce the cost of defects and rework, and achieve operational excellence by improving process stability. simatic pcs neo is a distributed control system DCS. the SINUMERIK...

CVE-2023-6333

The affected ControlByWeb Relay products are vulnerable to a stored cross-site scripting vulnerability, which could allow an attacker to inject arbitrary scripts into the endpoint of a web interface that could run malicious javascript code during a user's session...

CVE-2023-6333

The CVE-2023-6333 issue affects ControlByWeb Relay devices (X-332-24I firmware 1.06; X-301-I firmware 1.15; X-301-24I firmware 1.15). Root cause: improper neutralization of input during web page generation (stored XSS). Impact: an authenticated attacker could inject arbitrary JavaScript into the ...