CVE-2024-26074

Adobe Experience Manager (AEM) 6.5.20 and earlier are affected by a stored XSS vulnerability (CVE-2024-26074) in vulnerable form fields, allowing injected JavaScript to run in a victim’s browser. Remediation: upgrade to 6.5.21 or later (per APSB24-28). The CVSS v3.1 base score is 5.4 (Medium). If...

CVE-2024-36231

CVE-2024-36231 affects Adobe Experience Manager versions 6.5.20 and earlier, with a DOM-based XSS vulnerability that could allow arbitrary JavaScript execution in the victim’s browser session. Exploitation typically requires user interaction (e.g., clicking a crafted link or submitting a form). T...

CVE-2024-36174

Adobe Experience Manager (AEM) 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability in vulnerable form fields, allowing attacker-injected JavaScript to run in a victim’s browser when visiting the page containing the field. The CVSS 3.1BaseScore is 5.4 (Medium) with...

CVE-2024-26066

Affected product: Adobe Experience Manager (AEM) 6.5.20 and earlier. Issue: stored Cross-Site Scripting (XSS) in vulnerable form fields that could allow an attacker to inject malicious JavaScript, executing in a victim’s browser when visiting the page containing the field. Root cause: XSS in form...

CVE-2024-36141 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2024-36142

CVE-2024-36142 affects Adobe Experience Manager (AEM) 6.5.20 and earlier with a stored XSS in vulnerable form fields. The issue allows an attacker to inject malicious JavaScript that can execute in a victim’s browser when visiting a page containing the vulnerable field. The CVSS v3.1 vector indic...

CVE-2024-36208

CVE-2024-36208 affects Adobe Experience Manager (AEM) 6.5.20 and earlier and is a stored Cross-Site Scripting (XSS) vulnerability. The issue involves vulnerable form fields that allow injected JavaScript to execute in a victim’s browser when a page containing the field is loaded. The CVE details ...

Important: thunderbird

Issue Overview: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability affects Firefox 126, Firefox ESR 115.11, and Thunderbird 115.11. CVE-2024-4367 If the browser.privatebrowsing.autostart preference is...

PT-2024-7825 · Esri · Esri Portal For Arcgis

Name of the Vulnerable Software and Affected Versions: Esri Portal for ArcGIS versions 10.9.1, 10.8.1 and 10.7.1 Description: The issue is related to a reflected XSS vulnerability. It may allow a remote, unauthenticated attacker to create a crafted link which, when clicked, could potentially...

Mozilla: Arbitrary JavaScript execution in PDF.js

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes this flaw as follows: A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context...

Moderate: Red Hat Security Advisory: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 8.10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

RHEL 8 : thunderbird (RHSA-2024:3784)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2024:3784 advisory. Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.11.0. Security Fixes: firefox...

ALSA-2024:3783 Moderate: firefox security update

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 115.11.0 ESR. Security Fixes: firefox: Arbitrary JavaScript execution in PDF.js CVE-2024-4367 firefox: IndexedDB files retained in private browsi...

CVE-2024-3402

CVE-2024-3402 affects gaizhenbiao/chuanhuchatgpt version 20240121. A stored XSS vulnerability arises from inadequate sanitization/validation of the model output data, allowing injection/execution of arbitrary JavaScript in the context of other users’ browsers and potentially hijacking victims’ se...

GHSA-4M3G-6R7G-JV4F Arbitrary JavaScript execution due to using outdated libraries

Summary gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution. PoC 1. Generate a pdf file with a malicious script in the fontmatrix. This will run alert‘XSS’. poc.pdf 2. Run the app. In this PoC, I've used the demo...

Cross-site Scripting (XSS)

Overview katello is a package that adds Content and Subscription Management to Foreman Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the improper sanitization of the Description field in the user interface. An attacker can execute arbitrary JavaScript code by...

SUSE CVE-2021-41174

Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the...

CVE-2023-51219

A deep link validation issue in KakaoTalk 10.4.3 allowed a remote adversary to direct users to run any attacker-controlled JavaScript within a WebView. The impact was further escalated by triggering another WebView that leaked its access token in a HTTP request header. Ultimately, this access tok...

CVE-2023-51219

A deep link validation issue in KakaoTalk 10.4.3 allowed a remote adversary to direct users to run any attacker-controlled JavaScript within a WebView. The impact was further escalated by triggering another WebView that leaked its access token in a HTTP request header. Ultimately, this access tok...

PDF.js < 4.2.67 - Arbitrary JavaScript Execution

Description PDF.js is vulnerable to Arbitrary JavaScript Execution in versions prior to 4.2.67. This is due to a missing type check when handling fonts. This makes it possible for authenticated attackers, with contributor-level or above permissions, to execute arbitrary JavaScript if they can...