Basecamp: Mutation Based Stored XSS on Trix Editor version latest (2.1.8)

A vulnerability was discovered in the Trix Editor version 2.1.8 where a mutation-based stored cross-site scripting XSS attack was possible. The vulnerability could be exploited by crafting a malicious payload that, when copied and pasted into the editor, would trigger the execution of arbitrary...

CVE-2024-48059

CVE-2024-48059 affects gaizhenbiao/chuanhuchatgpt up to version 20240802, vulnerable to stored XSS in WebSocket session transmissions. An attacker can inject malicious content into a WebSocket message, with execution of injected script in a victim’s browser when the session is accessed. The root ...

PT-2024-29708 · Unknown · Acr.Browser.Lightning +1

Name of the Vulnerable Software and Affected Versions: com.videodownload.browser.videodownloader aka AppTool-Browser-Video All Video Downloader version 20-30.05.24 Description: The issue allows an attacker to execute arbitrary JavaScript code via the acr.browser.lightning.DefaultBrowserActivity...

PT-2024-34154

Name of the Vulnerable Software and Affected Versions: I, Librarian versions prior to 5.11.2 Description: The issue arises from a broken logic in handling Supplemental Files, allowing unsafe files with Javascript to be executed within the application context. An attacker can exploit this by...

CVE-2024-31972

CVE-2024-31972 affects EnGenius ESR580 A8J-EMR5000 devices, enabling a remote attacker to perform stored XSS via the Wi‑Fi SSID input fields. The vulnerability leads to arbitrary JavaScript execution within the user’s admin session when loading the login page, specifically impacting the endpoints...

The vulnerability of the iframe plugin in the JetBrains YouTrack software environment allows a hacker to execute arbitrary JavaScript code and unauthorized API calls.

The vulnerability of the iframe plugin in the JetBrains YouTrack software environment relates to insufficient verification of the connection source. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code and make unauthorized API requests...

webkitgtk: arbitrary javascript code execution

A vulnerability was found in WebKit. This flaw allows a remote attacker to cause arbitrary javascript code execution...

CVE-2024-47878 Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt)

OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the /extension/gdata/authorized endpoint includes the state GET parameter verbatim in a tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing...

PT-2025-17573

Name of the Vulnerable Software and Affected Versions Jmix versions 1.0.0 through 1.6.1 Jmix versions 2.0.0 through 2.3.4 Description The issue affects Jmix, a set of libraries and tools for Spring Boot data-centric application development. It allows manipulation of the input parameter, which...

CVE-2024-49579

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests...

CVE-2024-49579

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests...

CVE-2024-49579

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests...

CVE-2024-49579

JetBrains YouTrack prior to 2024.3.47197 is affected by CVE-2024-49579 due to insufficient validation of the iframe plugin communication channel, allowing arbitrary JavaScript execution and unauthorized API requests. The issue stems from the iframe plugin; attacker-controlled payloads could be ex...

Esri Portal For ArcGIS Cross-Site Scripting Vulnerability (CNVD-2024-41010)

Esri Portal For ArcGIS is a component from Environmental Systems Research Institute Esri that allows maps, scenes, applications, and other geographic information to be shared with others within an organization. A cross-site scripting vulnerability exists in Esri Portal For ArcGIS that stems from...

Esri Portal For ArcGIS Cross-Site Scripting Vulnerability (CNVD-2024-41004)

Esri Portal For ArcGIS is a component from Environmental Systems Research Institute Esri that allows maps, scenes, applications, and other geographic information to be shared with others within an organization. Esri Portal For ArcGIS suffers from a cross-site scripting vulnerability that can be...

Atlassian Confluence 3.0.x < 7.19.25 / 7.20.x < 8.5.11 / 8.6.x < 8.9.3 (CONFSERVER-98205)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-98205 advisory. - A type check was missing when handling fonts in PDF.js, which would allow arbitrary JavaScript execution in the PDF.js context. This vulnerability...

CVE-2023-32192

A vulnerability has been identified in which unauthenticated cross-site scripting XSS in the API Server's public API endpoint can be exploited, allowing an attacker to execute arbitrary JavaScript code in the victim browser...

Rancher API Server 安全漏洞

Rancher API Server is an interface between an HTTP client and more sophisticated applications in the Rancher open source. A security vulnerability exists in Rancher API Server that stems from the presence of cross-site scripting XSS that allows an attacker to execute arbitrary JavaScript code in...

CVE-2024-45740

In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through Scheduled Views that could result in execution of unauthorized JavaScript cod...

PT-2024-7166 · Splunk · Splunk Cloud Platform +2

Name of the Vulnerable Software and Affected Versions: Splunk Enterprise versions prior to 9.2.3 and 9.1.6 Splunk Cloud Platform versions prior to 9.2.2403.108 and 9.1.2312.205 Description: A low-privileged user without the "admin" or "power" Splunk roles could create a malicious payload through ...