Dokan < 3.6.4 - Vendor Stored Cross-Site Scripting

The plugin allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators. PoC As a vendor, add a review in any products with following payload: https://youtu.be/gGUNSG5s5JU...

Denial Of Service (DoS)

protobuf is vulnerable to denial of service. The vulnerability exists due to a lack of sanitization in google.protobuf.UnknownFieldSet parameter which allows a remote attacker to inject a malicious javascript into the system and crash. which allowing an attacker to...

WordPress plugin Advanced Contact form 7 DB 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress Advanced Contact form 7 DB 1.8.7 and its previous versions have a cross-site scripting vulnerability, which can be exploited by...

Cross-site Scripting (XSS)

Overview magento/community-edition is a modern cloud eCommerce platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via form fields. An attacker can execute arbitrary JavaScript in the context of a victim's browser by injecting malicious scripts into vulnerable...

Moodle Cross-site Scripting (XSS)

A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8...

GHSA-4W4J-9533-82QG Moodle Cross-site Scripting (XSS)

A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8...

GHSA-38RQ-RH9W-CMW6 Cross site scripting in Crafter CMS

In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel...

GHSA-MHWC-4W67-XQ2C Magento Cross-Site Scripting via store name

A stored cross-site scripting XSS vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website...

GHSA-9M48-54PJ-H248 Improper Neutralization of Input During Web Page Generation in Jenkins

A stored cross-site scripting vulnerability in Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed attackers with Overall/Administer permission to configure the update site URL to inject arbitrary HTML and JavaScript in update center web pages...

Magento 2 Community Edition XSS Vulnerability

A stored cross-site scripting vulnerability exists in the admin panel of Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This could be exploited by an authenticated user with privileges to modify node attributes to inject malicious javascript...

CVE-2022-1093

The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed...

CVE-2022-1093

The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed...

CVE-2022-1093

The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed...

Hardcoded credentials

The WP Meta SEO WordPress plugin before 4.4.7 does not sanitise or escape the breadcrumb separator before outputting it to the page, allowing a high privilege user such as an administrator to inject arbitrary javascript into the page even when unfiltered html is disallowed...

Diary Management System 跨站脚本漏洞

Diary Management System is a multi-user diary management system that enables staff in an organization to set/update/view meetings and appointments. The system will run through a central server, but clients will be able to run offline. A cross-site scripting vulnerability exists in Diary Managemen...

WordPress plugin WP Contacts Manager 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. cross-site scripting vulnerability exists in versions of WordPress prior to WP Meta SEO plugin 4.4.7,...

CVE-2020-4047

In affected versions of WordPress, authenticated users with upload permissions like authors are able to inject JavaScript into some media file attachment pages in a certain way. This can lead to script execution in the context of a higher privileged user when the file is viewed by them. This has...

CVE-2020-25631

A flaw was found in Moodle in versions 3.9 to 3.9.1, 3.8 to 3.8.4, and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This issue is fixed in versions 3.9.2, 3.8.5, and 3.7.8...

IBM Jazz Team Server 跨站脚本漏洞

IBM Jazz Team Server is an application server from IBM USA. Provides base services that enable a group of tools to work together as a single logical server and includes any number of Jazz Team Server Extensions that provide tool-specific functionality. A cross-site scripting vulnerability exists ...

Cross-site Scripting in OctoPrint

Cross-site Scripting XSS - DOM in GitHub repository octoprint/octoprint prior to 1.8.0. The login endpoint allows for javascript injection which may lead to account takeover in a phishing scenario...