CVE-2022-38754

A potential vulnerability has been identified in Micro Focus Operations Bridge - Containerized. The vulnerability could be exploited by a malicious authenticated OBM Operations Bridge Manager user to run Java Scripts in the browser context of another OBM user. Please note: The vulnerability is on...

CVE-2022-43668

Typora versions prior to 1.4.4 fails to properly neutralize JavaScript code, which may result in executing JavaScript code contained in the file when opening a file with the affected product...

PT-2022-26996 · Typora · Typora

Name of the Vulnerable Software and Affected Versions: Typora versions prior to 1.4.4 Description: The issue is related to the improper neutralization of JavaScript code. When a file is opened with the affected product, it may result in the execution of JavaScript code contained in the file...

PT-2022-7126 · Samsung · Galaxy Store

Name of the Vulnerable Software and Affected Versions: Galaxy Store versions prior to 4.5.49.8 Description: The issue exists due to inadequate protection of the web page structure, allowing an attacker to execute a JavaScript script when a web page is loaded. This is caused by an improper input...

CVE-2022-31777

A stored cross-site scripting XSS flaw was found in Apache Spark. This issue allows an attacker to execute arbitrary JavaScript in the web browser of a user, including a malicious payload into the logs which are returned in logs rendered in the UI...

CVE-2022-4068 Improperly Controlled Modification of Dynamically-Determined Object Attributes in librenms/librenms

A user is able to enable their own account if it was disabled by an admin while the user still holds a valid session. Moreover, the username is not properly sanitized in the admin user overview. This enables an XSS attack that enables an attacker with a low privilege user to execute arbitrary...

CVE-2022-4022

The SVG Support plugin for WordPress defaults to insecure settings in version 2.5 and 2.5.1. SVG files containing malicious javascript are not sanitized. While version 2.5 adds the ability to sanitize image as they are uploaded, the plugin defaults to disable sanitization and does not restrict SV...

CVE-2022-40846

In Tenda AC1200 Router model W15Ev2 V15.11.0.101576, a Stored Cross Site Scripting XSS vulnerability exists allowing an attacker to execute JavaScript code via the applications stored hostname...

Tenda AC1200 跨站脚本漏洞

The Tenda AC1200 is a wireless router from Tenda China. A security vulnerability exists in the Tenda AC1200 version 15.11.0.10, which stems from a stored cross-site scripting issue. The vulnerability allows an attacker to execute JavaScript code by leveraging the filter tabs specifically the URL...

XSS and CSP bypass in app.diagrams.net

Description The application reflects an input from the url without sanitizing it. With a csp bypass from apis.google.com its possible to execute javascript code. Proof of Concept...

PYSEC-2022-42976

A stored cross-site scripting XSS vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI...

Fortinet FortiManager和FortiAnalyzer 跨站脚本漏洞

Fortinet FortiManager and Fortinet FortiAnalyzer are both products from Fortinet, Inc. Fortinet FortiManager is a centralized network security management platform. The platform supports centralized management of any number of Fortinet devices, and can be grouped into different management domains...

CVE-2022-31777 Apache Spark XSS vulnerability in log viewer UI Javascript

A stored cross-site scripting XSS vulnerability in Apache Spark 3.2.1 and earlier, and 3.3.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the logs which would be returned in logs rendered in the UI...

Cross-site Scripting (XSS)

joyqi/hyper-down is vulnerable to cross-site scripting XSS. The library does not properly escape the href attribute in Parser.php, which allows a remote attacker to inject and execute malicious JavaScript...

CVE-2022-40183

An error in the URL handler of the VIDEOJET multi 4000 may lead to a reflected cross site scripting XSS in the web-based interface. An attacker with knowledge of the encoder address can send a crafted link to a user, which will execute JavaScript code in the context of the user...

CVE-2022-40184 Stored Cross Site Scripting (XSS) in VIDEOJET multi 4000

Incomplete filtering of JavaScript code in different configuration fields of the web based interface of the VIDEOJET multi 4000 allows an attacker with administrative credentials to store JavaScript code which will be executed for all administrators accessing the same configuration option...

PT-2022-25265 · Unknown · Videojet Multi 4000

Name of the Vulnerable Software and Affected Versions: VIDEOJET multi 4000 affected versions not specified Description: The issue concerns incomplete filtering of JavaScript code in different configuration fields of the web-based interface. An attacker with administrative credentials can store...

CVE-2022-38200 BUG-000142376 - Reflected Cross-Site Scripting (XSS) vulnerability in ArcGIS Server.

A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser...

PT-2022-24277 · Esri · Arcgis Server

Name of the Vulnerable Software and Affected Versions: ArcGIS Server versions 10.7.1 through 10.8.1 Description: A cross-site scripting issue exists in certain map service configurations, allowing specifically crafted web requests to execute arbitrary JavaScript in the context of the victim's...

CVE-2022-42466

Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed. As of this release,...