CVE-2024-5478

A Cross-site Scripting XSS vulnerability exists in the SAML metadata endpoint /auth/saml/$org?.id/metadata of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the orgId parameter supplied by the user before incorporating it into the...

CVE-2024-5478

CVE-2024-5478 affects lunary-ai/lunary v1.2.7. Root cause: user-supplied orgId is embedded directly into XML/SAML metadata without proper escaping/validation, enabling XSS via the /auth/saml/${org?.id}/metadata endpoint. Impact: potential theft of user cookies or authentication tokens through inj...

SUSE CVE-2023-40030

Cargo downloads a Rust project's dependencies and compiles the project. Starting in Rust 1.60.0 and prior to 1.72, Cargo did not escape Cargo feature names when including them in the report generated by cargo build --timings. A malicious package included as a dependency may inject nearly arbitrar...

CVE-2024-36123

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The page MediaWiki:Tagline has its contents used unescaped, so custom HTML including Javascript can be injected by someone with the ability to edit the MediaWiki namespace typically those with the editinterface...

UBUNTU-CVE-2024-36123

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The page MediaWiki:Tagline has its contents used unescaped, so custom HTML including Javascript can be injected by someone with the ability to edit the MediaWiki namespace typically those with the editinterface...

PT-2024-40096 · Microsoft · Internet Explorer

Name of the Vulnerable Software and Affected Versions: Silverstripe versions prior to a fixed version affected versions not specified Description: The issue affects Internet Explorer browsers, where requests do not encode all entities in the URL string. As a result, when rewriting hashlinks,...

Wiki.js 安全漏洞

Wiki.js is a suite of open source Wiki software from the Requarks.io team based on Node.js and written in the JavaScript language. A security vulnerability exists in Wiki.js versions prior to 2.5.303, which stems from a vulnerability that allows an attacker to inject malicious JavaScript into the...

SAP NetWeaver Application Server 跨站脚本漏洞

SAP NetWeaver Application Server is an application server from SAP, Germany. A cross-site scripting vulnerability exists in SAP NetWeaver Application Server ABAP Platform, which stems from a lack of input validation and output encoding of untrusted data, and can be exploited by an unauthenticated...

PT-2024-25692 · Mantisbt · Mantisbt

Name of the Vulnerable Software and Affected Versions: MantisBT versions prior to 2.26.2 Description: The issue is related to improper escaping of a custom field's name, allowing an attacker to inject HTML and potentially execute arbitrary JavaScript when certain conditions are met, such as...

New Case Study: The Malicious Comment

How safe is your comments section? Discover how a seemingly innocent 'thank you' comment on a product page concealed a malicious vulnerability, underscoring the necessity of robust security measures. Read the full real-life case study here. When is a 'Thank you' not a 'Thank you'? When it's a...

CVE-2024-28979

Dell OpenManage Enterprise, versions 4.1.0 and older, contains an Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection...

CVE-2024-28979

Dell OpenManage Enterprise, versions 4.1.0 and older, contains an Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Script injection...

CVE-2024-28979

Dell OpenManage Enterprise (Dell EMC) before 4.1.0 is affected by an improper neutralization of input during web page generation (Cross-site Scripting). The vulnerability arises from insufficient input filtering/escaping in the web UI, enabling a high-privilege remote attacker to inject scripts v...

PT-2024-41445 · Ооо "Вебсофт Девелопмент" · Websoft Hcm

Уязвимость программного обеспечения автоматизации HR-процессов Websoft HCM связана с непринятием мер по защите структуры веб-страницы. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, провести атаку межсайтового скриптинга XSS путём внедрения специально сформированного...

PT-2024-30256 · Unknown · Super 8 Live Chat

Name of the Vulnerable Software and Affected Versions: Super 8 Live Chat affected versions not specified Description: The issue allows unauthenticated remote attackers to insert JavaScript code into the chat box due to a failure to properly filter user input. When the message recipient views the...

PT-2024-3189 · Ibm · Ibm Cloud Pak For Security +1

Name of the Vulnerable Software and Affected Versions: IBM QRadar Suite Software versions 1.10.12.0 through 1.10.19.0 IBM Cloud Pak for Security versions 1.10.0.0 through 1.10.11.0 Description: The issue is related to stored cross-site scripting, allowing users to embed arbitrary JavaScript code ...

The vulnerability of the CMS system Netcat, related to the manipulation of inter-site requests, allows a hacker to inject arbitrary JavaScript code.

The vulnerability of the CMS system Netcat is related to the manipulation of inter-site requests. Exploiting this vulnerability allows a malicious actor to inject arbitrary JavaScript code remotely...

PT-2024-13476 · Ibm · Ibm Sterling File Gateway

Name of the Vulnerable Software and Affected Versions: IBM Sterling File Gateway versions 6.0.0.0 through 6.0.3.9 IBM Sterling File Gateway versions 6.1.0.0 through 6.1.2.3 IBM Sterling File Gateway version 6.2.0.0 Description: This issue allows users to embed arbitrary JavaScript code in the Web...

CVE-2024-1602

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting XSS that leads to Remote Code Execution RCE. The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within t...

CVE-2024-3570 Stored XSS leading to Admin Account Takeover in mintplex-labs/anything-llm

A stored Cross-Site Scripting XSS vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to...