5087 matches found
CVE-2023-29201
XWiki Commons (org.xwiki.commons:xwiki-commons-xml) is affected by an XSS vulnerability in the HTML cleaner’s restricted mode introduced in 4.2-milestone-1. The restricted mode only escaped [removed] and tags, but did not escape dangerous attributes or other HTML elements (e.g., iframe), enablin...
CVE-2023-29201 org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . ...
CVE-2023-29201 org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . ...
Easy!Appointments 跨站脚本漏洞
Easy!Appointments is a web-based appointment and schedule management system. A cross-site scripting vulnerability exists in versions prior to Easy!Appointments 1.5.0, which can be exploited by an attacker to perform javascript injection, cookie theft, install javascript malware and keyloggers, an...
GHSA-C885-89FW-55QR org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability
Impact The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter content was set to true. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scripting XSS by specifying an RSS...
org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability
Impact The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter content was set to true. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scripting XSS by specifying an RSS...
org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability
Impact The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped and -tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like . As a consequence, any code relying on this "restricted" mode for security is...
CVE-2023-28341
Stored Cross site scripting XSS vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page...
CVE-2023-0546
The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to...
CVE-2023-0546
The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to...
CVE-2023-0546 FluentForms < 4.3.25 - Contributor+ Stored XSS via Custom HTML Form Field
The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to...
CVE-2023-0546
CVE-2023-0546 affects the Contact Form Plugin WordPress plugin (pre-4.3.25). The issue is stored XSS via improper sanitization/escaping of the srcdoc attribute in iframes within the plugin’s custom HTML field, enabling a logged-in user with Contributor+ privileges to inject arbitrary JavaScript t...
PT-2023-16352 · WordPress · Contact-Form-Plugin
Name of the Vulnerable Software and Affected Versions: Contact Form Plugin WordPress plugin versions prior to 4.3.25 Description: The issue allows a logged-in user with roles as low as contributor to inject arbitrary JavaScript into a form. This can be achieved by exploiting the improper...
Design/Logic Flaw
Templates do not properly consider backticks as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to...
UBUNTU-CVE-2023-24538
Templates do not properly consider backticks as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to...
Cross-Site Scripting (XSS)
pimcore/pimcore is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to a lack of user-input sanitization in the translationEditor.js, which allows an attacker to inject and execute arbitrary JavaScript into the system...
Cross-Site Scripting (XSS)
ckeditor4 is vulnerable to Cross-Site Scripting XSS attacks. A web page with missing Content Security Policy configuration, initializing the editor on an element other than as a base, allows an attacker to inject and execute malicious javascript on victim's browser...
LISTSERV 17 - Reflected Cross Site Scripting Vulnerability
Exploit Title: LISTSERV 17 - Reflected Cross Site Scripting XSS Google Dork: inurl:/scripts/wa.exe Exploit Author: Shaunt Der-Grigorian Vendor Homepage: https://www.lsoft.com/ Software Link: https://www.lsoft.com/download/listserv.asp Version: 17 Tested on: Windows Server 2019 CVE : CVE-2022-3919...
CVE-2023-24839
HGiga MailSherlock’s specific function has insufficient filtering for user input. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript, conducting a reflected XSS attack...
Cross site scripting
HGiga MailSherlock’s specific function has insufficient filtering for user input. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript, conducting a reflected XSS attack...