CVE-2019-16330

In NCH Express Accounts Accounting v7.02, persistent cross site scripting XSS exists in Invoices/Sales Orders/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Sales Orders/Items/Customers/Quotes fields parameter to inject arbitrary JavaScript...

CVE-2019-16282

In NCH Express Invoice v7.12, persistent cross site scripting XSS exists via the Invoices/Items/Customers/Quotes input field. An authenticated unprivileged user can add/modify the Invoices/Items/Customers fields parameter to inject arbitrary JavaScript...

bootstrap: XSS in the tooltip or popover data-template attribute

A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired...

CVE-2019-10756

It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the uinotification node accepting raw HTML by default...

CVE-2019-10756

It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the uinotification node accepting raw HTML by default...

Design/Logic Flaw

It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the uinotification node accepting raw HTML by default...

CVE-2019-10756

CVE-2019-10756 affects node-red-dashboard prior to version 2.17.0 where the ui_notification node accepts raw HTML by default, enabling JavaScript injection and thus cross-site scripting (XSS). The vulnerability stems from the ability to inject script through the notification UI component, as conf...

CVE-2019-10756

It is possible to inject JavaScript within node-red-dashboard versions prior to version 2.17.0 due to the uinotification node accepting raw HTML by default...

Cross-Site Scripting (XSS)

mavon-editor is vulnerable to cross-site scripting XSS. A remote attacker is able to inject and execute arbitrary Javascript into a victim's browser to steal session tokens or perform unwanted actions on behalf of the user...

Download Plugins and Themes from Dashboard <= 1.5.0 - Unauthenticated Stored XSS

NinTechNet discovered a multiple security issues within the Download Plugins and Themes from Dashboard WordPress plugin. The plugin's setting update request did not check for authorisation, allowing an unauthenticated user to inject malicious JavaScript, which would be stored in the backend...

PT-2019-17109 · Ibm · Ibm Jazz Reporting Service

Name of the Vulnerable Software and Affected Versions: IBM Jazz Reporting Service JRS versions 6.0 through 6.0.6.1 Description: The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a...

CVE-2019-16683

An issue was discovered in the image-manager in Xoops 2.5.10. When the breadcrumb showing the category name is hovered over while editing any image, a JavaScript payload executes...

CVE-2019-3747

Dell EMC Integrated Data Protection Appliance versions prior to 2.3 contain a stored cross-site scripting vulnerability. A remote malicious ACM admin user may potentially exploit this vulnerability to store malicious HTML or JavaScript code in Cloud DR add-on specific field. When victim users...

Magecart Group Targets Routers Behind Public Wi-Fi Networks

A faction of the Magecart threat group is testing code that targets routers used to provide free or paid Wi-Fi services in public spaces and hotels. If successful, attackers would able to compromise these commercial-grade routers and be able to siphon payment data of users joining Wi-Fi networks ...

CVE-2019-16525

An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code...

Dolibarr <= 10.0.1 XSS Vulnerability

Dolibarr is prone to a cross-site scripting XSS vulnerability. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:dolibarr:dolibarr"...

Cross-Site Scripting (XSS)

status-board is vulnerable to cross-site scripting XSS. The error 404 message is not sanitized, which would allow a remote attacker to inject arbitrary Javascript into a victim's browser via the safeDashboardName parameter...

Cross-site Scripting (XSS)

anahkiasen/former is vulnerable to cross-site scripting XSS. The vulnerability exists as the value $value in Checkable.php is not sanitized, allowing a remote attacker to inject arbitrary Javascript into a victim's browser through the affected parameters...

CVE-2014-10394

The rich-counter plugin before 1.2.0 for WordPress has JavaScript injection via a User-Agent header...

CVE-2014-10391

The wp-support-plus-responsive-ticket-system plugin before 4.1 for WordPress has JavaScript injection...