U.S. Dept Of Defense: Cross-site Scripting (XSS) - Reflected at https://██████████/

Hello Team, i just found a reflected xss bug on your web https://█████ Step To reproduce: poc url: https://████/7/0/33/1d/www.citysearch.com/search?what=x&where=place%22%3E%3Csvg+onload=confirmdocument.domain%3E Impact Impact Data can be stolen, or Javascript can be executed.This is will allow th...

UBUNTU-CVE-2021-38295

In Apache CouchDB, a malicious user with permission to create documents in a database is able to attach a HTML attachment to a document. If a CouchDB admin opens that attachment in a browser, e.g. via the CouchDB admin interface Fauxton, any JavaScript code embedded in that HTML attachment will b...

Design/Logic Flaw

Anuko Time Tracker is an open source, web-based time tracking application written in PHP. When a logged on user selects a date in Time Tracker, it is being passed on via the date parameter in URI. Because of not checking this parameter for sanity in versions prior to 1.19.30.5600, it was possible...

CVE-2021-41139

Anuko Time Tracker (PHP) suffers a reflected XSS in time.php via the date URI parameter, exploitable before patch in 1.19.30.5600. An attacker could persuade a logged-in user to click a crafted link, causing attacker-supplied JavaScript to execute in the user’s browser. Remediated in version 1.19...

Cross-site Scripting in jsoneditor

Stored XSS was discovered in the tree mode of jsoneditor before 9.0.2 through injecting and executing JavaScript...

CVE-2021-24563

The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly...

WordPress 插件 跨站脚本漏洞

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blogging sites on PHP and MySQL servers. cross-site scripting vulnerability exists in versions of the WordPress Coming soon and Maintenance plugin...

WordPress 插件 跨站脚本漏洞

WordPress is the Wordpress Foundation's set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site scripting vulnerability exists in versions of WordPress Enfold Enfold theme prior to 4.8.4, which originate...

WordPress 插件 跨站脚本漏洞

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on PHP and MySQL servers. cross-site scripting vulnerability exists in versions of WordPress Quiz And Survey Master plugin prior to 7.3.2, whi...

WordPress 插件跨站脚本漏洞

WordPress is the Wordpress Foundation's suite of blogging platforms developed using the PHP language. The platform supports the hosting of personal blog sites on servers with PHP and MySQL. WordPress Chained Quiz plugin 1.2.7.2 previously contained a cross-site scripting vulnerability that stemme...

openSUSE 15 Security Update : rabbitmq-server (openSUSE-SU-2021:3325-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:3325-1 advisory. - RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the...

CVE-2021-42044

An issue was discovered in the Mentor dashboard in the GrowthExperiments extension in MediaWiki through 1.36.2. The Growthexperiments-mentor-dashboard-mentee-overview-add-filter-total-edits-headline, growthexperiments-mentor-dashboard-mentee-overview-add-filter-starred-headline,...

Design/Logic Flaw

An issue was discovered in CentralAuth in MediaWiki through 1.36.2. The rightsnone MediaWiki message was not being properly sanitized and allowed for the injection and execution of HTML and JavaScript via the setchange log...

CVE-2021-42041

CVE-2021-42041 affects MediaWiki CentralAuth up to version 1.36.2, where the rightsnone message was not properly sanitized. This allows injection and execution of HTML/JavaScript via the setchange log, enabling a potential cross-site scripting vector. The CVSS metrics indicate a Network attack ve...

CVE-2021-42044

**CVE-2021-42044 (MediaWiki)FFECT: The issue affects the Mentor dashboard in the GrowthExperiments extension up to MediaWiki 1.36.2, where specific mentor- and mentee-related Messages (e.g., add-filter-total-edits, info-text, info-legend, active-ago) were not properly sanitized. This allows injec...

MediaWiki 跨站脚本漏洞

MediaWiki is a suite of free and freely available web-based Wiki engines from the MediaWiki Foundation. The product can be used to deploy internal knowledge management and content management systems. A security vulnerability exists in MediaWiki, which stems from...

MediaWiki 跨站脚本漏洞

MediaWiki is a suite of free and freely available web-based Wiki engines from the MediaWiki Foundation. The product can be used to deploy internal knowledge management and content management systems. A security vulnerability exists in MediaWiki that allows injection and execution of HTML and...

MediaWiki 跨站脚本漏洞

MediaWiki is a suite of free and freely available web-based Wiki engines from the MediaWiki Foundation. The product can be used to deploy internal knowledge management and content management systems. A security vulnerability exists in Special:MediaSearch in MediaWiki's MediaSearch extension, whic...

UBUNTU-CVE-2021-39878

A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code...

Cross-site Scripting (XSS) - Generic in snipe/snipe-it

Description At File Uploads allows for arbitrary execution of JavaScript Step to Reproduct XSS at filename Goto detail of one asset At tab File choose to upload file with filename contain payload: file'name XSS when upload file .svg In list file types are allowed don't have file .svg Goto detail ...