WebKit - UXSS via XSLT and Nested Document Replacements Exploit

VULNERABILITY DETAILS https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/xml/XSLTProcessor.cppL66 Ref XSLTProcessor::createDocumentFromSourceconst String& sourceString, const String& sourceEncoding, const String& sourceMIMEType, Node sourceNode, Frame frame Ref...

WebKit - UXSS via XSLT and Nested Document Replacements

VULNERABILITY DETAILS https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/xml/XSLTProcessor.cppL66 Ref XSLTProcessor::createDocumentFromSourceconst String& sourceString, const String& sourceEncoding, const String& sourceMIMEType, Node sourceNode, Frame frame Ref...

CVE-2019-14770

In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. This issue is mitigated by the attacker needing permissions to create...

Sql injection

In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. This issue is mitigated by the attacker needing permissions to create...

CVE-2019-14770

In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. This issue is mitigated by the attacker needing permissions to create...

CVE-2019-14770

CVE-2019-14770 affects Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3. An attacker who can create administrative menu links (roles with such permissions) can craft menu links in the admin bar to execute JavaScript when an administrator using the search function is logged in. The root ...

Firefly III Cross-Site Scripting Vulnerability (CNVD-2019-30451)

Firefly III is a free, open source, self-hosted personal finance manager. A stored cross-site scripting vulnerability exists in Firefly III 4.7.17.3. The vulnerability stems from a lack of filtering of data provided by the user in the billname field. An attacker can exploit the vulnerability to...

Design/Logic Flaw

Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of filtration of user-supplied data in the bill name field. The JavaScript code is executed during rule-from-bill creation...

Cross site scripting

A reflected cross-site scripting vulnerability exists on the customer cart checkout page of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by sending a victim a crafted URL that results in malicious javascript execution in the victim's...

Information disclosure

When processing Deeplink scheme, Happypoint mobile app 6.3.19 and earlier versions doesn't check Deeplink URL correctly. This could lead to javascript code execution, url redirection, sensitive information disclosure. An attacker can exploit this issue by enticing an unsuspecting user to open a...

CVE-2019-5458

Cross-site scripting XSS vulnerability in http-file-server all versions allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser...

CVE-2019-5458

Cross-site scripting XSS vulnerability in http-file-server all versions allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser...

CVE-2019-5457

Cross-site scripting XSS vulnerability in min-http-server all versions allows an attacker with access to the server file system to execute arbitrary JavaScript code in victim's browser...

PT-2019-17686 · Unknown · Min-Http-Server

Name of the Vulnerable Software and Affected Versions: min-http-server all versions Description: A cross-site scripting XSS issue allows an attacker with access to the server file system to execute arbitrary JavaScript code in a victim's browser. The package fails to sanitize filenames, enabling...

Cross-site Scripting (XSS)

stackable.js is vulnerable to Cross-Site Scripting. The library does not sanitize the output properly when constructing the HTML from the existing elements,, allowing an attacker to use a malicious payload to execute arbitrary Javascript code...

Foxit PhantomPDF Denial of Service Vulnerability (CNVD-2019-24197)

PhantomPDF is a multifunctional PDF editor. A denial of service vulnerability exists in Foxit PhantomPDF versions prior to 8.3.11. The vulnerability stems from a failure to properly validate the existence of an object before performing operations on it during JavaScript execution. An attacker cou...

UBUNTU-CVE-2019-1010261

Gitea 1.7.0 and earlier is affected by: Cross Site Scripting XSS. The impact is: Attacker is able to have victim execute arbitrary JS in browser. The component is: go-get URL generation - PR to fix: https://github.com/go-gitea/gitea/pull/5905. The attack vector is: victim must open a specifically...

CVE-2019-13647

Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$fileid$ attachment viewing. NOTE: It is asserted that an attacker must have the same access rights as the user in...

Design/Logic Flaw

DISPUTED Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$fileid$ attachment viewing. NOTE: It is asserted that an attacker must have the same access rights as th...

CVE-2019-1010091

tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization of Input During Web Page Generation. The impact is: JavaScript code execution. The component is: Media element. The attack vector is: The victim must paste malicious content to media element's embed tab...