CVE-2015-10130

The Team Circle Image Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the circlethumbnailsliderwithlightboximagemanagementfunc function. This makes it possible for unauthenticated attacke...

PT-2024-12168 · Ibm · Ibm Sterling Partner Engagement Manager

Name of the Vulnerable Software and Affected Versions: IBM Sterling Partner Engagement Manager versions 6.1.2, 6.2.0, and 6.2.2 Description: The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosu...

BIT-WORDPRESS-2020-4047 Authenticated XSS via media attachment page in WordPress

In affected versions of WordPress, authenticated users with upload permissions like authors are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has...

BIT-SUITECRM-2021-31792

XSS in the client account page in SuiteCRM before 7.11.19 allows an attacker to inject JavaScript via the name field...

BIT-SEOPANEL-2021-28417

A cross-site scripting XSS issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php and the "searchname" parameter...

BIT-SEOPANEL-2021-28420

A cross-site scripting XSS issue in Seo Panel 4.8.0 allows remote attackers to inject JavaScript via alerts.php and the "fromtime" parameter...

BIT-SEOPANEL-2021-29008

A cross-site scripting XSS issue in SEO Panel 4.8.0 allows remote attackers to inject JavaScript via webmaster-tools.php in the "totime" parameter...

BIT-SEOPANEL-2021-29009

A cross-site scripting XSS issue in SEO Panel 4.8.0 allows remote attackers to inject JavaScript via archive.php in the "type" parameter...

BIT-RUM-2021-27308

A cross-site scripting XSS vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter...

BIT-GHOST-2022-47195

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this...

PT-2024-12713 · Ibm · Ibm Cics Tx Advanced

Name of the Vulnerable Software and Affected Versions: IBM CICS TX Advanced version 10.1 Description: The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted session...

CVE-2024-27290 Docassemble HTML and javascript injection

Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the mast...

CVE-2024-27290 Docassemble HTML and javascript injection

Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the mast...

CVE-2024-1976

The Marketing Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20200925. This is due to missing or incorrect nonce validation via the admin/main-settings-page.php file. This makes it possible for unauthenticated attackers to update t...

CVE-2024-1976

The Marketing Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20200925. This is due to missing or incorrect nonce validation via the admin/main-settings-page.php file. This makes it possible for unauthenticated attackers to update t...

CVE-2024-26473

A reflected cross-site scripting XSS vulnerability in SocialMediaWebsite v1.0.1 allows attackers to inject malicious JavaScript into the web browser of a victim via the poll parameter in poll.php...

CVE-2024-0590

The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the editclarityprojectid function. This makes it possible for unauthenticated attackers to change the project id and add...

Watermark RELOADED <= 1.3.5 - Cross-Site Request Forgery via optionsPage

Description The Watermark RELOADED plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.5. This is due to missing or incorrect nonce validation on the 'optionsPage' function. This makes it possible for unauthenticated attackers to update plugin...

Cross Site Scripting (XSS)

baserproject/basercms is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper sanitation with the content management feature in View/Helper/BcAdminFormHelper.php, which allows an attacker to inject and execute arbitrary JavaScript in the browser...

GHSA-VVPF-53QX-CXHH Liferay Portal has a Stored XSS with Blog entries (Insecure defaults)

In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated use...