BloofoxCms 跨站脚本漏洞

BloofoxCms is a Php-based text content management system from alexlang24 personal developer. bloofoxCMS suffers from a cross-site scripting vulnerability that stems from the lack of user-supplied data and output data validation filtering in the file and type parameters in index.php. An attacker...

CVE-2022-24708 Stored XSS vulnerability in anuko/timetracker

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. ttUser.class.php in Time Tracker versions prior to 1.20.0.5646 was not escaping primary group name for display. Because of that, it was possible for a logged in user to modify primary group name with element...

WordPress Survey Maker 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platform developed using the PHP language. WordPress plugin is a WordPress open source application plugin. WordPress Survey Maker plugin 2.0.6 and previous versions have a cross-site scripting vulnerability, which can be exploited by attacke...

Cross-site Scripting (XSS) - Stored

Description Stored XSS is a vulnerability in which the attacker can execute arbitrary javascript code in the victim's browser. The XSS payload is stored in a webpage and it gets executed whenever someone visits that webpage. I used &10 Line Feed character in the href attribute of tag to bypass th...

CVE-2022-25256

SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRender.do has two parameters: saspfsrequestbacklabellist and saspfsrequestbackurllist. The first one affects the content of the button placed in the top left. The second affects the page to which the user is directed after pressing...

Sas Institute Sas Web Report Studio 跨站脚本漏洞

Sas Institute Sas Web Report Studio is a web application from Sas Institute, Inc. It is used to view, interact with, create, and distribute public and private reports. A cross-site scripting vulnerability exists in Sas Institute Sas Web Report Studio, which stems from Do having two parameters:...

Arbitrary Code Execution

Overview Affected versions of this package are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed. PoC js const postLoader = require'post-loader' var payload =...

Jenkins 插件跨站脚本漏洞

Jenkins plug-ins are plug-ins that provide appropriate functionality for Jenkins. JenkinsTeam Views Plugin cross-site scripting vulnerability. This vulnerability allows an attacker to execute JavaScript code on the client side...

MGASA-2022-0059 Updated webkit2 packages fix security vulnerability

Processing a maliciously crafted mail message may lead to running arbitrary javascript. Description: A validation issue was addressed with improved input sanitization. CVE-2022-22589 Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free iss...

UBUNTU-CVE-2022-22589

A validation issue was addressed with improved input sanitization. This issue is fixed in iOS 15.3 and iPadOS 15.3, watchOS 8.4, tvOS 15.3, Safari 15.3, macOS Monterey 12.2. Processing a maliciously crafted mail message may lead to running arbitrary javascript...

GHSA-VM64-CFQX-3698 Code Injection in jsen

This affects all versions of package jsen. If an attacker can control the schema file, it could run arbitrary JavaScript code on the victim machine. In the module description and README file there is no mention about the risks of untrusted schema files, so it is assumed that this is applicable. I...

Mozilla Firefox Security Advisories (MFSA2022-04, MFSA2022-05) - Mac OS X

Mozilla Firefox is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mozilla:firefox";...

Design/Logic Flaw

An issue was discovered in the Calendar feature in Zimbra Collaboration Suite 8.8.x before 8.8.15 patch 30 update 1, as exploited in the wild starting in December 2021. An attacker could place HTML containing executable JavaScript inside element attributes. This markup becomes unescaped, causing...

UBUNTU-CVE-2022-22755

By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript within the bounds of the same-origin policy even after the tab was closed. This vulnerability affects Firefox 97...

AlmaLinux 8 : thunderbird (ALSA-2021:5045)

The remote AlmaLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2021:5045 advisory. - Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive...

CVE-2022-22755

By using XSL Transforms, a malicious webserver could have served a user an XSL document that would continue to execute JavaScript within the bounds of the same-origin policy even after the tab was closed. This vulnerability affects Firefox 97...

spaceLYnk 跨站脚本漏洞

The Schneider Electric spaceLYnk is a programmable logic controller from Schneider Electric France. The spaceLYnk suffers from a cross-site scripting vulnerability that originated when an attacker could use the vulnerability to inject and execute arbitrary malicious JavaScript code in the target...

Mozilla Firefox 安全漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. Mozilla Firefox suffers from a resource mishandling vulnerability that stems from the way the browser handles XSL documents. An attacker could use the vulnerability to trick a victim into loading a...

Mozilla Firefox < 97.0

The version of Firefox installed on the remote macOS or Mac OS X host is prior to 97.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2022-04 advisory. - Mozilla developers Paul Adenot and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 96...

WordPress plugin 跨站脚本漏洞

WordPress is a set of blogging platforms developed by the WordPress Foundation using the PHP language. WordPress Learning Courses plugin in versions prior to 5.0 contains a cross-site scripting vulnerability that stems from a lack of data validation filtering of user-supplied data and output. An...