Ascensio System ONLYOFFICE Resource Management Error Vulnerability

Ascensio System ONLYOFFICE is an office software from Ascensio System, Latvia. A resource management error vulnerability exists in Ascensio System ONLYOFFICE DocumentServer versions 4.0.3 through 7.3.2, which stems from the presence of a post-release reuse vulnerability. An attacker could exploit...

CVE-2023-38138

A reflected cross-site scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility which allows an attacker to run JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support EoTS are not evaluate...

PT-2023-26319 · F5 · Big-Ip

Name of the Vulnerable Software and Affected Versions: BIG-IP affected versions not specified Description: A reflected cross-site scripting XSS issue exists in an undisclosed page of the BIG-IP Configuration utility. This allows an attacker to run JavaScript in the context of the currently...

CVE-2023-38308

An issue was discovered in Webmin 2.021. A Cross-Site Scripting XSS vulnerability was discovered in the HTTP Tunnel functionality when handling third-party domain URLs. By providing a crafted URL from a third-party domain, an attacker can inject malicious code. leading to the execution of arbitra...

CVE-2023-38309

An issue was discovered in Webmin 2.021. A Reflected Cross-Site Scripting XSS vulnerability was discovered in the package search functionality. The vulnerability allows an attacker to inject a malicious payload in the "Search for Package" field, which gets reflected back in the application's...

Webmin 跨站脚本漏洞

Webmin is a set of Web-based system administration tools for Unix-like operating systems from the Webmin community. A security vulnerability exists in Webmin version 2.021, which stems from a cross-site scripting XSS vulnerability discovered in the HTTP tunneling feature when handling third-party...

Cross-site Scripting (XSS)

github.com/usememos/memos is vulnerable to stored Cross-site Scripting XSS. The vulnerability exists registerResourcePublicRoutes function at resource.go because the default-src in CSP is not properly configured which allows an attacker to bypass the CSP, inject and execute arbitrary javascript...

Esri Portal For ArcGIS Cross-Site Scripting Vulnerability

Esri Portal For ArcGIS is an Esri component that allows maps, scenes, applications, and other geographic information to be shared with others within an organization. A cross-site scripting vulnerability exists in Esri Portal For ArcGIS that can be exploited by an attacker to execute arbitrary...

PT-2023-20343

Name of the Vulnerable Software and Affected Versions Esri ArcGIS Enterprise Sites versions 10.8.1 through 10.9 Description The issue is a Cross-site Scripting vulnerability that may allow a remote, authenticated attacker to create a crafted link which, when clicked by a victim, could potentially...

Esri Portal For ArcGIS 跨站脚本漏洞

Esri Portal For ArcGIS is an Esri component that allows maps, scenes, applications, and other geographic information to be shared with others within an organization. A cross-site scripting vulnerability exists in Esri Portal For ArcGIS that can be exploited by an attacker to execute arbitrary...

CVE-2023-2507

CVE-2023-2507 affects CleverTap Cordova Plugin (version 2.6.2). The vulnerability arises from improper validation of data from deeplinks, allowing a remote attacker to execute JavaScript in apps opened via a crafted deeplink (XSS/remote code execution-like behavior described in sources). A patch ...

CVE-2023-30791

Plane version 0.7.1-dev is affected: an attacker can change a user’s avatar, enabling upload of files with an HTML extension that are interpreted as HTML and JavaScript. This is described across multiple sources as an insecure avatar-upload path leading to HTML/JS content. Remediation guidance in...

PT-2023-19912 · Clevertap · Clevertap Cordova Plugin

Name of the Vulnerable Software and Affected Versions: CleverTap Cordova Plugin version 2.6.2 Description: The CleverTap Cordova Plugin does not correctly validate the data coming from deeplinks before using them, allowing a remote attacker to execute JavaScript code in any application that is...

Plane 代码问题漏洞

Plane is an open source, self-hosted project planning tool from Plane Open Source. A security vulnerability exists in Plane version 0.7.1-dev, which stems from a vulnerability that allows an attacker to change the avatar of their profile, thereby allowing the upload of files with HTML extensions...

PT-2023-23658 · Apache +1 · Apache Jena +1

Name of the Vulnerable Software and Affected Versions: Apache Jena versions 3.7.0 through 4.8.0 Description: The issue is related to insufficient restrictions of called script functions in Apache Jena, allowing a remote user to execute javascript via a SPARQL query. Recommendations: For Apache Je...

Apache Jena 安全漏洞

Apache Jena is the United States Apache Apache Foundation of a Java Semantic Web framework. Used to build semantic Web and linked data applications. Apache Jena suffers from a code execution vulnerability that stems from insufficient restrictions on called script functions. An attacker can exploi...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper user-input sanitization in the external link redirections. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper user-input sanitization in the processes filter. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper user-input sanitization in the processes filter. This allows a remote attacker to execute JavaScript code in the context of a currently logged-in user. An attacker could use this vulnerability to...

CVE-2023-32693

Summary: CVE-2023-32693 affects the Decidim framework (Ruby on Rails). The vulnerability is a Cross-Site Scripting flaw in the external link feature, allowing a remote attacker to execute JavaScript in the context of a logged-in user and potentially influence user endorsements of proposals. Affec...