GHSA-9PHH-R37V-34WH lakeFS vulnerable to Arbitrary JavaScript Injection via Direct Link to HTML Files

Impact The browser renders the resulting HTML when opening a direct link to an HTML file via lakeFS. Any JavaScript within that page is executed within the context of the domain lakeFS is running in. An attacker can inject a malicious script inline, download resources from another domain, or make...

CVE-2023-38687 Execution of arbitrary JavaScript from Svelecte item names

Svelecte is a flexible autocomplete/select component written in Svelte. Svelecte item names are rendered as raw HTML with no escaping. This allows the injection of arbitrary HTML into the Svelecte dropdown. This can be exploited to execute arbitrary JavaScript whenever a Svelecte dropdown is...

CVE-2023-39000

A reflected cross-site scripting XSS vulnerability in the component /ui/diagnostics/log/core/ of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allows attackers to inject arbitrary JavaScript via the URL path...

CVE-2023-22843

An authenticated attacker with administrative access to the web management interface can inject malicious JavaScript code inside the definition of a Threat Intelligence rule, that will be stored and can later be executed by another legitimate user viewing the details of such a rule. Via stored...

CVE-2023-22843

An authenticated attacker with administrative access to the web management interface can inject malicious JavaScript code inside the definition of a Threat Intelligence rule, that will be stored and can later be executed by another legitimate user viewing the details of such a rule. Via stored...

CVE-2023-22843 Stored Cross-Site Scripting (XSS) in Threat Intelligence rules in Guardian/CMC before 22.6.2

An authenticated attacker with administrative access to the web management interface can inject malicious JavaScript code inside the definition of a Threat Intelligence rule, that will be stored and can later be executed by another legitimate user viewing the details of such a rule. Via stored...

CVE-2023-22843

CVE-2023-22843 is a stored XSS vulnerability in Nozomi Guardian/CMC where an authenticated administrator can inject JavaScript into Threat Intelligence rule definitions (yara content; limited HTML for packet/STYX), which then executes in other users’ sessions. Impact includes unauthorized actions...

CVE-2023-22843 Stored Cross-Site Scripting (XSS) in Threat Intelligence rules in Guardian/CMC before 22.6.2

An authenticated attacker with administrative access to the web management interface can inject malicious JavaScript code inside the definition of a Threat Intelligence rule, that will be stored and can later be executed by another legitimate user viewing the details of such a rule. Via stored...

Stored Cross-Site Scripting (XSS) in Threat Intelligence rules in Guardian/CMC before 22.6.2

Summary An authenticated attacker with administrative access to the web management interface can inject malicious JavaScript code inside the definition of a Threat Intelligence rule, that will be stored and can later be executed by another legitimate user viewing the details of such a rule. Impac...

Cross-Site Scripting (XSS)

gitlab is vulnerable to Cross-Site Scripting XSS attacks. The library does not properly escape the special characters before it output to the front end, allowing an attacker to inject and execute malicious javascript on victim's browser, via the email address field...

Cross-site Scripting (XSS)

github.com/answerdev/answer is vulnerable to Cross-site Scripting XSS. The vulnerability exists due to the library's lack of user input sanitization, which allows an attacker to inject and execute malicious javascript...

Stored Cross-site Scripting (XSS)

phpmyfaq is vulnerable to Cross-site Scripting. The vulnerability exists due to a lack of validation in the user input of Link.php, which allows an attacker to inject and execute malicious Javascript into the browser...

Mars: Reflected XSS on formaction parameter

The formaction parameter of the target application was found to contain a reflected Cross-Site Scripting XSS vulnerability. User-supplied data was reflected back without proper sanitization, allowing for the injection of malicious JavaScript code. The issue was compounded by potential cache...

Cross-Site Scripting (XSS)

github.com/answerdev/answer is vulnerable to Cross-Site Scripting XSS attacks. The library does not properly escape the user input before it output to the front end, allowing an attacker to inject and execute malicious javascript on victim's browser, which leads to potential account takeover...

Cross-site Scripting (XSS)

github.com/usememos/memos is vulnerable to Cross-site Scripting XSS. The vulnerability exists because the library does not properly validate the markdown links, which allows an attacker to inject and execute malicious javascript...

Cross-Site Scripting (XSS)

typo3/html-sanitizer is vulnerable to Cross-Site Scripting XSS. The vulnerability exists because a malicious text embedded in a noscript element was not encoded appropriately due to a serialization layer encoding bug, which allows an attacker to inject and execute arbitrary JavaScript when noscri...

CVE-2023-31466

An XSS issue was discovered in FSMLabs TimeKeeper 8.0.17. On the "Configuration - Compliance - Add a new compliance report" and "Configuration - Timekeeper Configuration - Add a new source there" screens, there are entry points to inject JavaScript code...

Cross-Site Scripting (XSS)

copyparty is vulnerable to Cross-Site Scripting. The vulnerability exists due to a lack of user input validation in the ?k304= and ?setck= parameters which allows an attacker to inject and execute arbitrary JavaScript into the browser...

CVE-2023-31466

CVE-2023-31466 – FSMLabs TimeKeeper 8.0.17 XSS Affected software: FSMLabs TimeKeeper v8.0.17. Vulnerability: Cross-site scripting (XSS) due to multiple JavaScript code injection entry points on the UI. Specifically, the following screens expose potential injection points: 1) Configuration → Compl...

PT-2023-23345 · Fsmlabs · Fsmlabs Timekeeper

Name of the Vulnerable Software and Affected Versions: FSMLabs TimeKeeper version 8.0.17 Description: A cross-site scripting XSS issue was found, allowing for the injection of JavaScript code on specific screens. The affected screens include "Configuration - Compliance - Add a new compliance...