CVE-2024-8556

CVE-2024-8556 affects modelscope/agentscope with a stored XSS in the run-details view where a user-controllable run ID is appended and rendered as HTML, enabling arbitrary JavaScript in the victim’s browser. The issue is tied to dashboard.js rendering logic; PoC in Snyk shows a crafted run_id, co...

CVE-2024-8556 Stored XSS in modelscope/agentscope

A stored cross-site scripting XSS vulnerability exists in modelscope/agentscope, as of the latest commit 21161fe on the main branch. The vulnerability occurs in the view for inspecting detailed run information, where a user-controllable string run ID is appended and rendered as HTML. This allows ...

CVE-2024-8556 Stored XSS in modelscope/agentscope

A stored cross-site scripting XSS vulnerability exists in modelscope/agentscope, as of the latest commit 21161fe on the main branch. The vulnerability occurs in the view for inspecting detailed run information, where a user-controllable string run ID is appended and rendered as HTML. This allows ...

CVE-2024-8400 Stored XSS in gaizhenbiao/chuanhuchatgpt

A stored cross-site scripting XSS vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability allows an attacker to upload a malicious HTML file containing JavaScript code, which is then executed when the file is accessed. This can lead to the execution of arbitrar...

CVE-2024-8400

CVE-2024-8400 is a stored cross-site scripting vulnerability in gaizhenbiao/chuanhuchatgpt. The issue stems from lack of proper filtering/escaping when a user uploads an HTML file that contains JavaScript, which is then executed when the file is accessed. This enables arbitrary JavaScript executi...

CVE-2024-8400 Stored XSS in gaizhenbiao/chuanhuchatgpt

A stored cross-site scripting XSS vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability allows an attacker to upload a malicious HTML file containing JavaScript code, which is then executed when the file is accessed. This can lead to the execution of arbitrar...

CVE-2024-10727

CVE-2024-10727 affects phpipam/phpipam versions 1.5.0–1.6.0. A reflected XSS occurs when HTTP request data is included in the immediate response in an unsafe manner, allowing arbitrary JavaScript execution in the user’s browser and potential full compromise. No remediation details are provided in...

CVE-2024-10727 Cross-Site Scripting (XSS) in phpipam/phpipam

A reflected cross-site scripting XSS vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. The vulnerability arises when the application receives data in an HTTP request and includes that data within the immediate response in an unsafe manner. This allows an attacker to execute...

CVE-2024-12870

CVE-2024-12870 describes a stored XSS in infiniflow/ragflow on the main branch (commit cec2080). The vulnerability allows uploading HTML/XML files served as application/xml, which browsers render, enabling arbitrary JavaScript execution in the user’s browser. Impact stated: potential cookie theft...

CVE-2024-12870 Stored Cross-site Scripting (XSS) in infiniflow/ragflow

A stored cross-site scripting XSS vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch cec2080. The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' conten...

CVE-2024-7044 Stored XSS in open-webui/open-webui

A Stored Cross-Site Scripting XSS vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a file, which, when accessed by a victim through a URL or shared chat, executes JavaScript in the victim's browser. Th...

CVE-2024-4023 Stored XSS in flatpressblog/flatpress

A stored cross-site scripting XSS vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a .xsig extension and directly accesses this file, the server responds with a Content-type of application/octet-stream, leading to the file being processed as an HTML fil...

CVE-2024-4023

CVE-2024-4023 describes a stored XSS in flatpressblog/flatpress v1.3. When a user uploads a file with a .xsig extension, and it is accessed directly, the server serves it as application/octet-stream, which allows the file to be processed as HTML and enables arbitrary JavaScript execution. Impact ...

CVE-2024-12374 Stored XSS in automatic1111/stable-diffusion-webui

A stored cross-site scripting XSS vulnerability exists in automatic1111/stable-diffusion-webui version git 82a973c. An attacker can upload an HTML file, which the application interprets as content-type application/html. If a victim accesses the malicious link, it will execute arbitrary JavaScript...

PrivateGPT 跨站脚本漏洞

PrivateGPT is an AI project open-sourced by Zylon. A cross-site scripting vulnerability exists in PrivateGPT version v0.5.0, which stems from cross-site scripting during file uploads, which allows an attacker to upload a malicious SVG file and execute JavaScript when the victim clicks on the file...

LLaVA 跨站请求伪造漏洞

LLaVA is an application by the individual developer Haotian Liu. A cross-site request forgery vulnerability exists in LLaVA v1.2.0, which stems from cross-site request forgery and could allow an attacker to upload malicious files and execute arbitrary JavaScript code...

CVE-2024-48591

Inflectra SpiraTeam 7.2.00 is vulnerable to Cross Site Scripting XSS. A specially crafted SVG file can be uploaded that will render and execute JavaScript upon direct viewing...

CVE-2024-55009

A reflected cross-site scripting XSS vulnerability in AutoBib - Bibliographic collection management system 3.1.140 and earlier allows attackers to execute arbitrary Javascript in the context of a victim's browser via injecting a crafted payload into the WCE=topFrame&WCU= parameter...

CVE-2024-55009

CVE-2024-55009 refers to a reflected XSS in AutoBib - Bibliographic collection management system (versions 3.1.140 and earlier). The vulnerability allows an attacker to cause arbitrary JavaScript execution in a victim’s browser by injecting a crafted payload into the WCE=topFrame&WCU= parameter. ...

CVE-2025-25363

An authenticated stored cross-site scripting XSS vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center JEMH before v4.1.69-dc allows attackers with Administrator privileges to execute arbitrary Javascript in context of a user's browser via injecting a crafted payload int...