CVE-2024-51960

CVE-2024-51960 affects Esri ArcGIS Server (versions 11.3 and earlier). The vulnerability is a stored Cross-site Scripting (XSS) in the ArcGIS Server Administrator Directory that can be exploited when a specially crafted link is created and clicked by an authenticated user with publisher privilege...

CVE-2024-51960 Stored XSS in ArcGIS Server Administrator Directory

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...

CVE-2024-51959

CVE-2024-51959 is a stored XSS vulnerability in Esri ArcGIS Server (versions 10.9.1–11.3). An authenticated attacker with publisher privileges can craft a link that, when clicked, may execute arbitrary JavaScript in the victim’s browser. Impact is described as low for confidentiality and integrit...

CVE-2024-51952 Stored XSS issue in ArcGIS Server

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...

CVE-2024-51951 Stored XSS in Server Admin API

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...

CVE-2024-51949 Stored XSS vulnerability in Rest Services under OGCFeature Service and Map Service

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...

CVE-2024-51947 Stored XSS vulnerability in Rest Services under Layer name

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...

CVE-2024-51947 Stored XSS vulnerability in Rest Services under Layer name

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...

CVE-2024-51946

CVE-2024-51946 is an ArcGIS Server vulnerability. Affected product: Esri ArcGIS Server versions 10.9.1 through 11.3. Threat: stored Cross-site Scripting via a crafted link that, when clicked by an authenticated user with publisher privileges, can execute arbitrary JavaScript in the victim’s brows...

CVE-2024-51945

CVE-2024-51945 describes a stored XSS in Esri ArcGIS Server (versions ≤11.3). An authenticated attacker with publisher privileges can craft a link that, when clicked by a user, may execute arbitrary JavaScript in the browser. Impact is low for confidentiality and integrity; no availability impact...

CVE-2024-51944

CVE-2024-51944 is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server (versions 10.9.1–11.3). The issue allows a remote, authenticated attacker with publisher privileges to craft a link that, when clicked, may execute arbitrary JavaScript in the victim’s browser. Impact is described...

CVE-2024-51942 Stored XSS vulnerability in Rest Admin API under Hosted Feature Services page

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...

CVE-2024-5888 Stored XSS in Rest Services API for a Toolbox published as GP Service

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required...

CVE-2024-54179

IBM Business Automation Workflow and IBM Business Automation Workflow Enterprise Service Bus versions 24.0.0 and 24.0.1 (and earlier unsupported) are vulnerable to cross-site scripting (CWE-79). An authenticated user can embed arbitrary JavaScript in the Web UI, potentially exposing credentials w...

Security Bulletin: Cross-Site scripting vulnerability affect IBM Business Automation Workflow Advanced - CVE-2024-54179

Summary IBM Business Automation Workflow is vulnerable to a Cross Site Scripting attack. Vulnerability Details CVEID:CVE-2024-54179 DESCRIPTION: IBM Business Automation Workflow is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript co...

CVE-2025-0719

IBM Cloud Pak for Data 4.0.0 through 4.8.5 and 5.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a truste...

CVE-2025-0719

IBM Cloud Pak for Data 4.0.0 through 4.8.5 and 5.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a truste...

CVE-2025-0719

CVE-2025-0719 affects IBM Cloud Pak for Data (versions 4.0.0–4.8.5 and 5.0.0). The IBM advisory describes a reflected cross-site scripting (XSS) vulnerability on the /error endpoint, where an unauthenticated attacker can inject JavaScript via the error parameter, potentially leading to credential...

CVE-2025-0423

In the "bestinformed Web" application, some user input was not properly sanitized. This leads to multiple unauthenticated stored cross-site scripting vulnerabilities. An unauthenticated attacker is able to compromise the sessions of users on the server by injecting JavaScript code into their...

CVE-2024-56882

Sage DPW before 202412000 is vulnerable to Cross Site Scripting XSS. Low-privileged Sage users with employee role privileges can permanently store JavaScript code in the Kurstitel and Kurzinfo input fields. The injected payload is executed for each authenticated user who views and interacts with...