5968 matches found
CVE-2024-12374 Stored XSS in automatic1111/stable-diffusion-webui
A stored cross-site scripting XSS vulnerability exists in automatic1111/stable-diffusion-webui version git 82a973c. An attacker can upload an HTML file, which the application interprets as content-type application/html. If a victim accesses the malicious link, it will execute arbitrary JavaScript...
LLaVA 跨站请求伪造漏洞
LLaVA is an application by the individual developer Haotian Liu. A cross-site request forgery vulnerability exists in LLaVA v1.2.0, which stems from cross-site request forgery and could allow an attacker to upload malicious files and execute arbitrary JavaScript code...
CVE-2024-48591
Inflectra SpiraTeam 7.2.00 is vulnerable to Cross Site Scripting XSS. A specially crafted SVG file can be uploaded that will render and execute JavaScript upon direct viewing...
PrivateGPT 跨站脚本漏洞
PrivateGPT is an AI project open-sourced by Zylon. A cross-site scripting vulnerability exists in PrivateGPT version v0.5.0, which stems from cross-site scripting during file uploads, which allows an attacker to upload a malicious SVG file and execute JavaScript when the victim clicks on the file...
CVE-2024-55009
CVE-2024-55009 refers to a reflected XSS in AutoBib - Bibliographic collection management system (versions 3.1.140 and earlier). The vulnerability allows an attacker to cause arbitrary JavaScript execution in a victim’s browser by injecting a crafted payload into the WCE=topFrame&WCU= parameter. ...
CVE-2024-55009
A reflected cross-site scripting XSS vulnerability in AutoBib - Bibliographic collection management system 3.1.140 and earlier allows attackers to execute arbitrary Javascript in the context of a victim's browser via injecting a crafted payload into the WCE=topFrame&WCU= parameter...
CVE-2025-25363
An authenticated stored cross-site scripting XSS vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center JEMH before v4.1.69-dc allows attackers with Administrator privileges to execute arbitrary Javascript in context of a user's browser via injecting a crafted payload int...
CVE-2025-28010
A cross-site scripting XSS vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image...
CVE-2025-27914
An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0 and 10.1. A Reflected Cross-Site Scripting XSS vulnerability exists in the /h/rest endpoint, allowing authenticated attackers to inject and execute arbitrary JavaScript in a victim's session. Exploitation requires a valid auth token...
GLPI Inventory Plugin 跨站脚本漏洞
GLPI Inventory Plugin is an open source plugin for GLPI France. It is used to handle various types of tasks for GLPI agents. A cross-site scripting vulnerability exists in GLPI Inventory Plugin versions prior to 1.5.0, which stems from reflective cross-site scripting and could lead to the executi...
CVE-2025-25363
An authenticated stored cross-site scripting XSS vulnerability in The Plugin People Enterprise Mail Handler for Jira Data Center JEMH before v4.1.69-dc allows attackers with Administrator privileges to execute arbitrary Javascript in context of a user's browser via injecting a crafted payload int...
firefox: Unexpected GC during RegExp bailout processing
A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: It was possible to interrupt the processing of a RegExp bailout and run additional JavaScript, potentially triggering garbage collection when the engine was not expecting it...
MODX Revolution 安全漏洞
MODX Revolution is an open source PHP-based content management system CMS from MODX USA. The system supports online collaboration, search engine optimization SEO and more. A security vulnerability exists in MODX Revolution versions prior to 3.1.0, which originates from the fact that an...
The vulnerability of the pdf.js library on the MFlash secure data exchange platform, related to the lack of protective measures for website structures, allows attackers to execute arbitrary JavaScript code.
The vulnerability of the pdf.js library on the MFlash secure data exchange platform is related to the lack of protective measures for the web page structure. Exploiting this vulnerability could allow an attacker to execute arbitrary JavaScript code remotely...
CVE-2025-27915
The CVE-2025-27915 issue affects Zimbra Collaboration (ZCS) Classic Web Client, where insufficient sanitization of HTML in ICS files enables stored XSS when viewing an email with a crafted ICS entry. The underlying flaw allows embedded JavaScript to execute via an ontoggle event inside a tag, en...
CVE-2025-27915
An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0 and 10.1. A stored cross-site scripting XSS vulnerability exists in the Classic Web Client due to insufficient sanitization of HTML content in ICS files. When a user views an e-mail message containing a malicious ICS entry, its...
CVE-2025-25929
A reflected cross-site scripting XSS vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter...
CVE-2025-25929
A reflected cross-site scripting XSS vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter...
CVE-2025-25929
A reflected cross-site scripting XSS vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter...
CVE-2025-25929
A reflected cross-site scripting XSS vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter...