CVE-2024-43400 XWiki Platform allows XSS through XClass name in string properties

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. Thi...

CVE-2024-6533

Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with...

PT-2024-29558 · Ibm · Ibm Common Licensing

Name of the Vulnerable Software and Affected Versions: IBM Common Licensing version 9.0 Description: This issue allows a privileged user to embed arbitrary JavaScript code in the Web UI, potentially altering the intended functionality and leading to credentials disclosure within a trusted session...

Acronis: Potential XSS in redirect_url Parameter

The summary is as follows: A vulnerability was identified on https://learn.acronis.com/ in the redirecturl parameter, where arbitrary JavaScript code could be injected. By manipulating the redirectUrl parameter, an attacker could execute JavaScript code on the victim's browser...

CVE-2024-33536

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading...

CVE-2024-21550

SteVe is an open platform that implements different version of the OCPP protocol for Electric Vehicle charge points, acting as a central server for management of registered charge points. Attackers can inject arbitrary HTML and Javascript code via WebSockets leading to persistent Cross-Site...

Zimbra Collaboration Suite 安全漏洞

Zimbra Collaboration Suite ZCS is an open source collaboration suite from Zimbra. The product includes WebMail, Calendar, Address Book and more. A security vulnerability in Zimbra Collaboration Suite versions 9.0 and 10.0, which stems from insufficient input validation of the res parameter, allow...

Cross-site Scripting (XSS)

microweber/microweber is vulnerable to Cross Site Scripting XSS. The vulnerability is due to insufficient input validation in the userfiles\modules\tags\addtaggingtagged.php, allows attackers to inject and execute arbitrary JavaScript...

CVE-2024-41960

mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scrip...

CVE-2024-41959

mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of th...

CVE-2024-41960

CVE-2024-41960 affects mailcow: dockerized (Relay Hosts configuration). An authenticated admin can inject a JavaScript payload into the Relay Hosts config, and the payload executes in the user’s browser when the configuration page is viewed, enabling arbitrary script execution in the user context...

mailcow 安全漏洞

mailcow is a mail server suite from mailcow open source. A security vulnerability exists in versions prior to mailcow 2024-07 that stems from the ability of an unauthenticated attacker to inject a JavaScript payload into API logs, which could allow an attacker to run malicious scripts in the...

mailcow 安全漏洞

mailcow is a mail server suite from mailcow open source. A security vulnerability exists in versions prior to mailcow 2024-07 that originates from an authenticated administrator user being able to inject a JavaScript payload into the relay host configuration, which could allow an attacker to...

PT-2024-5831 · Mailcow · Mailcow

Name of the Vulnerable Software and Affected Versions: mailcow: dockerized versions prior to 2024-07 Description: The issue allows an unauthenticated attacker to inject a JavaScript payload into the API logs. This payload is executed when the API logs page is viewed, potentially allowing an...

CVE-2024-7204

Ai3 QbiBot does not properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. Once the recipient views the message, they will be subject to a Stored XSS attack...

CVE-2024-31199

A “CWE-79: Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'” allows malicious users to permanently inject arbitrary Javascript code...

Plug and Track Sensor Net Connect 安全漏洞

Plug and Track Sensor Net Connect is a smart sensor from the French company Plug and Track. It is used to monitor temperature, humidity, pressure, CO2 and other parameters. A security vulnerability exists in Plug and Track Sensor Net Connect version V2, which stems from the presence of cross-site...

PT-2024-23842 · Plug&Track +1 · Sensor Net Connect V2 +1

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned. Description: A CWE-79 issue allows malicious users to permanently inject arbitrary Javascript code, enabling cross-site scripting. This issue permits malicious users to inject code into web page...

Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs

Impact This XSS vulnerability is about the system configs design/header/welcome design/header/logosrc design/header/logosrcsmall design/header/logoalt They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously...

PT-2024-29501 · Adobe · Magento

Name of the Vulnerable Software and Affected Versions: Magento-lts versions prior to 20.10.1 Description: This issue affects the design/header/welcome, design/header/logo src, design/header/logo src small, and design/header/logo alt system configs, which are intended to enable admins to set a tex...