PT-2024-31396 · Collabora · Collabora Online

Name of the Vulnerable Software and Affected Versions: Collabora Online versions for mobile devices Android/iOS Description: Collabora Online is a collaborative online office suite based on LibreOffice technology. In the mobile device variants, it was possible to inject JavaScript via URL encoded...

CVE-2024-45046

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker...

CVE-2024-45046 PhpSpreadsheet HTML writer is vulnerable to Cross-Site Scripting via style information

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. In affected versions \PhpOffice\PhpSpreadsheet\Writer\Html doesn't sanitize spreadsheet styling information such as font names, allowing an attacker to inject arbitrary JavaScript on the page. As a result an attacker...

PT-2024-31397 · Phpoffice · Phpspreadsheet

Name of the Vulnerable Software and Affected Versions: PHPSpreadsheet versions prior to 2.1.0 Description: The issue concerns the PhpOfficePhpSpreadsheetWriterHtml component, which fails to sanitize spreadsheet styling information, such as font names. This allows an attacker to inject arbitrary...

[SECURITY] [DLA 3856-1] python-html-sanitizer security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-3856-1 [email protected] https://www.debian.org/lts/security/ Chris Lamb August 26, 2024 https://wiki.debian.org/LTS -...

CVE-2024-41845 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...

CVE-2024-41843 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page...

SMSEagle 安全漏洞

SMSEagle is a specialized hardware SMS gateway software for sending and receiving SMS messages from SMSEagle, Inc. A security vulnerability exists in SMSEagle version 6.0 that stems from the application not properly cleaning user input from SMS messages in the inbox, leading to a stored cross-sit...

CVE-2024-37392

CVE-2024-37392 describes a stored XSS in SMSEagle prior to version 6.0. The issue stems from improper sanitization of user input in SMS messages stored in the inbox, allowing injected JavaScript to execute when a message is viewed in the web-GUI. Impact is a client-side script execution risk with...

CVE-2024-40111

CVE-2024-40111 describes a stored XSS in Automad 2.0.0-alpha.4. The vulnerability lets an attacker inject JavaScript into the template body which is saved by the flat-file CMS and executed in the browser of any user visiting the page (e.g., forum). Practical impact stated across sources includes ...

Learning with Texts 安全漏洞

Learning with Texts LWT is a software application by the individual developer Jon Gauthier. It allows users to import text, read, save, view and test words and expressions in multiple languages. A security vulnerability exists in Learning with Texts version 2.0.3, which stems from not filtering...

CVE-2024-41572

Learning with Texts LWT 2.0.3 is vulnerable to Cross Site Scripting XSS. The application has a specific function that does not filter special characters in URL parameters. Remote attackers can inject JavaScript code without authorization. Exploiting this vulnerability, attackers can steal user...

PT-2024-12097 · Xiaomi · Xiaomigetapps

Name of the Vulnerable Software and Affected Versions: XiaomiGetApps affected versions not specified Description: A code execution vulnerability exists in the XiaomiGetApps application product, caused by the verification logic being bypassed. An attacker can exploit this vulnerability to execute...

CVE-2024-43396

Khoj is an application that creates personal AI agents. The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in...

CVE-2024-43400 XWiki Platform allows XSS through XClass name in string properties

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. Thi...

CVE-2024-6533

Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with...

PT-2024-29558 · Ibm · Ibm Common Licensing

Name of the Vulnerable Software and Affected Versions: IBM Common Licensing version 9.0 Description: This issue allows a privileged user to embed arbitrary JavaScript code in the Web UI, potentially altering the intended functionality and leading to credentials disclosure within a trusted session...

Acronis: Potential XSS in redirect_url Parameter

The summary is as follows: A vulnerability was identified on https://learn.acronis.com/ in the redirecturl parameter, where arbitrary JavaScript code could be injected. By manipulating the redirectUrl parameter, an attacker could execute JavaScript code on the victim's browser...

CVE-2024-33536

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading...

CVE-2024-21550

SteVe is an open platform that implements different version of the OCPP protocol for Electric Vehicle charge points, acting as a central server for management of registered charge points. Attackers can inject arbitrary HTML and Javascript code via WebSockets leading to persistent Cross-Site...