Stored XSS in description of theme

Description The attacker can execute JavaScript code through the theme's description. Proof of Concept Step 1 : - Choose any theme to upload i used a copy of vanila theme - Open theme folder and change description tag of config.xml file vanilla Bootstrap Vanilla theme 16/10/2017 LimeSurvey GmbH...

Cross-site Scripting (XSS)

khodakhah/nodcms is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validations in the contact forms address element, which allows an admin authenticated attacker to inject and execute arbitrary JavaScript into the browser...

Gibbon 跨站脚本漏洞

Gibbon is a school platform that solves real-world problems that educators encounter every day. A security vulnerability exists in Gibbon version 25.0.0 that stems from the presence of a cross-site scripting XSS vulnerability that allows an attacker to execute arbitrary Javascript code...

Incorrect Authorization to Stored XSS in Import User Role function

Description The application incorrectly checks user permissions, enabling the attacker to use the 'import file user roles' functionality, which contains a payload for executing JavaScript code, without requiring any specific privileges. Proof of Concept Step1: Even without the privilege to manage...

CVE-2023-34835

A Cross Site Scripting vulnerability in Microworld Technologies eScan Management console v.14.0.1400.2281 allows a remote attacker to execute arbitrary JavaScript code via a vulnerable deletefile parameter...

PT-2023-5199 · Ibm · Ibm Qradar Siem

Name of the Vulnerable Software and Affected Versions: IBM QRadar SIEM version 7.5.0 Description: The issue is related to a lack of protection for the web page structure, allowing a remote attacker to bypass restrictions on executing JavaScript. This can enable users to embed arbitrary JavaScript...

PT-2023-25021 · Microworld Technologies · Escan Management Console

Name of the Vulnerable Software and Affected Versions: Microworld Technologies eScan Management console version 14.0.1400.2281 Description: A Cross Site Scripting issue allows a remote attacker to execute arbitrary JavaScript code via a vulnerable delete file parameter. This enables the attacker ...

PT-2023-24892 · Pybb · Pybb

Name of the Vulnerable Software and Affected Versions: PyBB versions 0.1.0 Description: A manual code review of the PyBB bulletin board server revealed a vulnerability that allows users to submit any type of HTML tag, which can be executed. For example, a malicious tag, such as xss, can be used t...

CVE-2023-24031

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 8.8.15. XSS can occur, via one of attributes of the webmail /h/ endpoint, to execute arbitrary JavaScript code, leading to information disclosure...

CVE-2023-24031

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 8.8.15. XSS can occur, via one of attributes of the webmail /h/ endpoint, to execute arbitrary JavaScript code, leading to information disclosure...

CVE-2023-29304 Adobe Experience Manager | Cross-site Scripting (Reflected XSS) (CWE-79)

Adobe Experience Manager versions 6.5.16.0 and earlier is affected by a reflected Cross-Site Scripting XSS vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the...

CVE-2023-2819

A stored cross-site scripting vulnerability in the Sources UI in Proofpoint Threat Response/ Threat Response Auto Pull PTR/TRAP could allow an authenticated administrator on an adjacent network to replace the image file with an arbitrary MIME type. This could result in arbitrary javascript code...

CVE-2023-2819

A stored cross-site scripting vulnerability in the Sources UI in Proofpoint Threat Response/ Threat Response Auto Pull PTR/TRAP could allow an authenticated administrator on an adjacent network to replace the image file with an arbitrary MIME type. This could result in arbitrary javascript code...

GHSA-XP5H-F8JF-RC8Q rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements

NOTE: rails-ujs is part of Rails/actionview since 5.1.0. There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML...

CVE-2023-0709 Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mflastname' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to injec...

Cross-site Scripting (XSS)

avo is vulnerable to Cross-site Scripting XSS. The vulnerability exists in multiple files due to improper html sanitization in form content which allows an attacker to inject and execute arbitrary JavaScript in a victims browser...

inDrive: #2 XSS on watchdocs.indriverapp.com

An XSS vulnerability was discovered on watchdocs.indriverapp.com. The vulnerability allowed execution of JavaScript on the user's browser...

CVE-2023-33977 Stored cross site scripting (XSS) via unrestricted file upload in Kiwi TCMS

Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded...

GHSA-GWXV-JV83-6QJR JStachio XSS vulnerability: Unescaped single quotes

Impact Description: JStachio fails to escape single quotes ' in HTML, allowing an attacker to inject malicious code. Reproduction Steps: Use the following template code: html Set the value variable to ' onblur='alert1. java public class Escaping public static void mainString args Model model = ne...

CVE-2023-32715

In the Splunk App for Lookup File Editing versions below 4.0.1, a user can insert potentially malicious JavaScript code into the app, which causes that code to run on the user’s machine. The app itself does not contain the potentially malicious JavaScript code. The vulnerability requires the...