BIT-GITLAB-2020-13269

A Reflected Cross-Site Scripting vulnerability allowed the execution of arbitrary Javascript code on the Static Site Editor in GitLab CE/EE 12.10 and later through 13.0.1...

BIT-WORDPRESS-2020-4049 Authenticated self-XSS via theme uploads in WordPress

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version...

BIT-WORDPRESS-MULTISITE-2020-4049 Authenticated self-XSS via theme uploads in WordPress

In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version...

BIT-SUITECRM-2021-39267

Persistent cross-site scripting XSS in the web interface of SuiteCRM before 7.11.19 allows a remote attacker to introduce arbitrary JavaScript via a Content-Type Filter bypass to upload malicious files. This occurs because text/html is blocked, but other types that allow JavaScript execution such...

BIT-RABBITMQ-2021-32718 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in RabbitMQ management UI

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.17, a new user being added via management UI could lead to the user's bane being rendered in a confirmation message without proper tag sanitization, potentially allowing for JavaScript code execution in the...

BIT-MEDIAWIKI-2023-22910

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision- fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs...

BIT-MAGENTO-2021-21023 Magento Commerce Stored Cross Site Scripting Vulnerability Could Lead To Arbitrary Code Execution

Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier are vulnerable to a stored cross-site scripting vulnerability in the admin console. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Access to the admin console is required for...

BIT-MAGENTO-2021-21030 Magento Commerce Stored Cross-site Scripting Could Lead To Arbitrary Javascript Execution

Magento versions 2.4.1 and earlier, 2.4.0 and earlier and 2.3.6 and earlier are vulnerable to a stored cross-site scripting XSS in the customer address upload feature. Successful exploitation could lead to arbitrary JavaScript execution in the victim's browser. Exploitation of this issue requires...

BIT-GRAFANA-2021-41174 XSS vulnerability allowing arbitrary JavaScript execution

Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the...

BIT-MLFLOW-2023-6568 Reflected XSS via Content-Type Header in mlflow/mlflow

A reflected Cross-Site Scripting XSS vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the Content-Type header in POST requests. An attacker can inject malicious JavaScript code into the Content-Type header, which is then improperly reflected back to the us...

BIT-GITLAB-2023-6033 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allows attacker to execute javascript in victim's browser...

BIT-DRUPAL-2021-41165 HTML comments vulnerability allowing to execute JavaScript code

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result...

BIT-GHOST-2022-27139

An arbitrary file upload vulnerability in the file upload module of Ghost v4.39.0 allows attackers to execute arbitrary code via a crafted SVG file. NOTE: Vendor states that as outlined in Ghost's security documentation, upload of SVGs is only possible by trusted authenticated users. The uploadin...

Docassemble HTML and javascript injection

Impact A user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The HTML can also contain tags allowing JavaScript to execute on the page. Patches The vulnerability has been patched in version 1.4.97 of the master...

GHSA-PCFX-G2J2-F6F6 Docassemble HTML and javascript injection

Impact A user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The HTML can also contain tags allowing JavaScript to execute on the page. Patches The vulnerability has been patched in version 1.4.97 of the master...

CVE-2024-27087 Kirby cross-site scripting (XSS) in the link field "Custom" type

Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined link formats. As th...

Cross site scripting

A DOM based cross-site scripting XSS vulnerability in the component /dom/ranges/Range-test-iframe.html of web-platform-tests/wpt before commit 938e843 allows attackers to execute arbitrary Javascript via sending a crafted URL...

Cross site scripting

A DOM based cross-site scripting XSS vulnerability in the component index.html of jstrieb/urlpages before commit 035b647 allows attackers to execute arbitrary Javascript via sending a crafted URL...

PT-2024-21386 · Unknown · Web-Platform-Tests

Name of the Vulnerable Software and Affected Versions: web-platform-tests/wpt versions before commit 938e843 Description: A DOM based cross-site scripting XSS issue in the component /dom/ranges/Range-test-iframe.html allows attackers to execute arbitrary Javascript via sending a crafted URL...

Apache DolphinScheduler vulnerable to arbitrary JavaScript execution as root for authenticated users

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can cause arbitrary, unsandboxed JavaScript to be executed on the server. This issue is a legacy of CVE-2023-49299. We didn't fix it completely in CVE-2023-49299, and we added one more patch to fix it. This...