An unrestricted upload file lead to a stored XSS via SVG file.

Description During the test, I discovered that the upload function accepted svg files without any sanitization, allowing me to inject javascript code into the svg file and store it, as well as execute the javascript code via the svg file. Proof of Concept // PoC.js...

Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722)

Summary IBM Jazz for Service Management is vulnerable to stored cross-site scripting. This vulnerability can exploit or hijack authenticated users sessions. Vulnerability Details CVEID:CVE-2022-35722 DESCRIPTION: IBM Jazz for Service Management is vulnerable to stored cross-site scripting. This...

Typora fails to properly neutralize JavaScript code.

Overview Typora fails to properly neutralize JavaScript code CWE-116. Eiji Mori of Flatt Security Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact Opening a file with the affected product may lead to...

CVE-2022-38390

Multiple IBM Business Automation Workflow versions are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...

CVE-2022-40846

In Tenda AC1200 Router model W15Ev2 V15.11.0.101576, a Stored Cross Site Scripting XSS vulnerability exists allowing an attacker to execute JavaScript code via the applications stored hostname...

CVE-2022-40846

In Tenda AC1200 Router model W15Ev2 V15.11.0.101576, a Stored Cross Site Scripting XSS vulnerability exists allowing an attacker to execute JavaScript code via the applications stored hostname...

CVE-2022-34317 IBM CICS TX cross-site scripting

IBM CICS TX 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229459...

CVE-2022-34315 IBM CICS TX cross-site scripting

IBM CICS TX 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 229451...

CVE-2022-36776

IBM Cloud Pak for Security CP4S 1.10.0.0 79and 1.10.2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM...

Cross site scripting

An Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in spacewalk/Uyuni of SUSE Linux Enterprise Module for SUSE Manager Server 4.2, SUSE Linux Enterprise Module for SUSE Manager Server 4.3, SUSE Manager Server 4.2 allows remote attackers to embed...

Cross site scripting

VMware Workspace ONE Assist prior to 22.10 contains a Reflected cross-site scripting XSS vulnerability. Due to improper user input sanitization, a malicious actor with some user interaction may be able to inject javascript code in the target user's window...

CVE-2022-30615

"IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227592...

CVE-2022-35642

"IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227592."...

phpMyFAQ < 3.1.8 Multiple Vulnerabilities

phpMyFAQ is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:phpmyfaq:phpmyfaq"; if description...

Cross site scripting

Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “backurl” parameter in appLms/index.php?modname=faq&op=play function. The exploitation of this vulnerability could allow an attacker to...

CVE-2022-41679 Cross-site scripting in Forma LMS version

Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “backurl” parameter in appLms/index.php?modname=faq&op=play function. The exploitation of this vulnerability could allow an attacker to...

CVE-2022-41679 Cross-site scripting in Forma LMS version

Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “backurl” parameter in appLms/index.php?modname=faq&op=play function. The exploitation of this vulnerability could allow an attacker to...

Cross site scripting

An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting XSS in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user...

Stored XSS - XSS in RSS link

Description An Administrator can import a malicious RSS feed that contains Cross Site Scripting XSS payloads inside RSS links. The administrator can then make the RSS feed available to all users of the software. Victims who wish to visit an RSS content will execute the Javascript code in a new ta...

CVE-2022-40183 Reflected Cross Site Scripting (XSS) in VIDEOJET multi 4000

An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting XSS in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user...