DRUPAL-CONTRIB-2020-015

This module enables you to build forms and surveys in Drupal. The module doesn't sufficiently sanitize Webform labels nor visibility conditions under the scenario of placing a block. When a webform block is placed and visible on a website any JavaScript code contained within the webform's label w...

Dell EMC RSA Archer Injection Vulnerability

Dell EMC RSA Archer is an enterprise IT governance and compliance governance product from Dell USA. The product enables the development of eGRC programs for managing enterprise risk, automating business processes, and more. An injection vulnerability exists in versions prior to Dell EMC RSA Arche...

Elastic: Stored XSS in TSVB Visualizations Markdown Panel

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! Summary: An authenticated user can save...

CVE-2020-7642

lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript...

CVE-2020-7642

lazysizes through 5.2.0 allows execution of malicious JavaScript. The following attributes are not sanitized by the video-embed plugin: data-vimeo, data-vimeoparams, data-youtube and data-ytparams which can be abused to inject malicious JavaScript...

Phishing Attacks

firefox is vulnerable to phishing attacks. The vulnerability exists as a web page containing malicious content could execute arbitrary JavaScript in the context of the site, possibly presenting misleading data to a user, or stealing sensitive information such as login credentials...

CVE-2019-19089

For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header is missing in the HTTP response, potentially causing the response body to be interpreted and displayed as different content type other than declared. A possible attack scenario would be unauthorized code execution via text...

CVE-2020-3884

An injection issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.4. A remote attacker may be able to cause arbitrary javascript code execution...

GHSA-4G46-5GRC-WQ49 Cross-Site Scripting in seeftl

All versions of seeftl are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available. Consider using a...

Cross-Site Scripting in http_server

All versions of httpserver are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation No fix is currently available. Consider usi...

Versiant LYNX Customer Service Portal is vulnerable to stored cross-site scripting

Overview The Versiant LYNX Customer Service Portal version 3.5.2 is vulnerable to stored cross-site scripting, which may allow a local, authenticated attacker to execute arbitrary JavaScript. Description The Versiant LYNX Customer Service Portal CSP is a "full-service customer portal that provide...

Slack: XSS on link and window.opener

A vulnerability was found in Slack that allowed for cross-site scripting XSS attacks through a link and the window.opener property. This could lead to redirection to malicious sites or execution of JavaScript code. The impact of this vulnerability was potentially severe...

CVE-2020-1771

Attacker is able craft an article with a link to the customer address book with malicious content JavaScript. When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: OTRS Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior...

CVE-2020-1771

Attacker is able craft an article with a link to the customer address book with malicious content JavaScript. When agent opens the link, JavaScript code is executed due to the missing parameter encoding. This issue affects: OTRS Community Edition: 6.0.26 and prior versions. OTRS: 7.0.15 and prior...

PT-2020-15048 · Otrs +2 · Otrs +3

Name of the Vulnerable Software and Affected Versions: OTRS Community Edition versions 6.0.26 and prior OTRS versions 7.0.15 and prior Description: The issue allows an attacker to craft an article with a link to the customer address book containing malicious JavaScript content. When an agent open...

CVE-2020-9520

A stored XSS vulnerability was discovered in Micro Focus Vibe, affecting all Vibe version prior to 4.0.7. The vulnerability could allows a remote attacker to craft and store malicious content into Vibe such that when the content is viewed by another user of the system, attacker controlled...

Visma Bug Bounty Program: Stored XSS when uploading files to an invoice

I've found a stored XSS from the fileupload. The parameter fileID is vulnerable and will be stored to the page. Steps To Reproduce Login Navigate to one of your invoices Upload some file and intercept the traffic Once you see the JSON payload like this "id":"abcabccabcabc","name":"file-name" modi...

CVE-2020-6798

If a template tag was used in a select tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result. In general, this flaw cannot be...

CVE-2020-6798

If a template tag was used in a select tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result. In general, this flaw cannot be...

Mozilla: Incorrect parsing of template tag could result in JavaScript injection

If a template tag was used in a select tag, the parser could be confused and allow JavaScript parsing and execution when it should not be allowed. A site that relied on the browser behaving correctly could suffer a cross-site scripting vulnerability as a result. In general, this flaw cannot be...