PT-2024-18436 · WordPress · Brizy

Name of the Vulnerable Software and Affected Versions: Brizy – Page Builder plugin for WordPress versions up to, and including, 2.4.44 Description: The issue allows authenticated attackers with contributor access and above to modify the content of arbitrary published posts due to a missing...

CVE-2024-6740

Openfind's Mail2000 does not properly validate email atachments, allowing unauthenticated remote attackers to inject JavaScript code within the attachment and perform Stored Cross-site scripting attacks...

IBM Datacap Navigator 安全漏洞

IBM Datacap Navigator is a Web client for Datacap from International Business Machines IBM. A cross-site scripting vulnerability exists in IBM Datacap Navigator, which can be exploited by an attacker to embed arbitrary JavaScript code in the Web UI...

PT-2024-37838 · Aguardnet Technology · Aguardnet Technology'S Space Management System

Name of the Vulnerable Software and Affected Versions: AguardNet Technology's Space Management System affected versions not specified Description: The issue is related to improper filtering of user input, allowing remote attackers with regular privileges to inject JavaScript and perform Reflected...

PT-2024-37836 · Openfind · Openfind Mail2000

Name of the Vulnerable Software and Affected Versions: Openfind Mail2000 affected versions not specified Description: The issue allows unauthenticated remote attackers to inject JavaScript code within email attachments, resulting in Stored Cross-site scripting attacks, due to improper validation ...

CVE-2024-40690

IBM InfoSphere Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 29772...

PT-2024-28986 · Ibm · Ibm Infosphere Server

Name of the Vulnerable Software and Affected Versions: IBM InfoSphere Server version 11.7 Description: The issue allows an authenticated user to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted...

CVE-2024-6035

A Stored Cross-Site Scripting XSS vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410. This vulnerability allows an attacker to inject malicious JavaScript code into the chat history file. When a victim uploads this file, the malicious script is executed in the victim's browser...

CVE-2024-6035 Stored XSS in gaizhenbiao/chuanhuchatgpt

A Stored Cross-Site Scripting XSS vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240410. This vulnerability allows an attacker to inject malicious JavaScript code into the chat history file. When a victim uploads this file, the malicious script is executed in the victim's browser...

PT-2024-37660

Name of the Vulnerable Software and Affected Versions bootstrap affected versions not specified Description A security issue has been discovered that could enable Cross-Site Scripting XSS attacks. The issue is associated with the data-loading-text attribute within the button plugin. This can be...

Polyfill.io Supply Chain Attack: Malicious JavaScript Injection Puts Over 100k Websites At Risk

Polyfill.io helps web developers achieve cross-browser compatibility by automatically managing necessary polyfills. By adding a script tag to their HTML, developers can ensure that features like JavaScript functions, HTML5 elements, and various APIs work across different browsers. Originally...

IBM Cloud Pak for Business Automation 跨站脚本漏洞

IBM Cloud Pak for Business Automation is a modular set of integrated software components from International Business Machines IBM, built for any hybrid cloud, designed to automate work and accelerate business growth. IBM Cloud Pak for Business Automation suffers from a cross-site scripting...

CVE-2024-6427

Uncontrolled Resource Consumption vulnerability in MESbook 20221021.03 version. An unauthenticated remote attacker can use the "message" parameter to inject a payload with dangerous JavaScript code, causing the application to loop requests on itself, which could lead to resource consumption and...

Cross Site Scripting(XSS)

Flowise is vulnerable to Cross Site ScriptingXSS. The vulnerability is caused due to improper handling of user input in the /api/v1/chatflows-streaming/id endpoint, which allows an attacker to craft a URL that injects Javascript into user sessions, potentially stealing information, creating false...

Cross-Site Scripting

flowise is vulnerable to reflected cross-site scripting XSS. The vulnerability is due to improper sanitization in the /api/v1/public-chatflows/id endpoint when a chatflow ID is not found, causing its value to be reflected in the 404 page with type text/html. Attackers can exploit this by crafting...

Cross-Site Scripting (XSS)

flowise is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient input sanitization in the /api/v1/credentials/id endpoint, which reflects user input back in the 404 page as HTML. This allows attackers to craft a URL that injects JavaScript into user sessions, enabling...

PT-2024-37619 · Mesbook · Mesbook

Name of the Vulnerable Software and Affected Versions: MESbook version 202221021.03 Description: The issue is related to an Uncontrolled Resource Consumption vulnerability. An unauthenticated remote attacker can use the message parameter to inject a payload with dangerous JavaScript code, causing...

Web Application using Malicious polyfill.io CDN (HTTP)

This script reports if a web page of the remote host is integrating JavaScript .js files hosted on the malicious polyfill.io CDN or any affiliated domain provided by the same new owner. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources,...

CVE-2024-37146 GHSL-2023-248: Flowise xss in /api/v1/credentials/id

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/credentials/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to craf...

CVE-2024-36992

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200 and 9.1.2308.207, a low-privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through a View that could result in execution of unauthoriz...