890 matches found
CVE-2024-12870
A stored cross-site scripting XSS vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch cec2080. The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' conten...
CVE-2024-9699
A vulnerability in the file upload functionality of the FlatPress CMS admin panel version latest allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting XSS attack if the uploaded file is accessed by other users. The issue is...
CVE-2024-9699
A vulnerability in the file upload functionality of the FlatPress CMS admin panel version latest allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting XSS attack if the uploaded file is accessed by other users. The issue is...
CVE-2024-9699 Cross-Site Scripting (XSS) in flatpressblog/flatpress
A vulnerability in the file upload functionality of the FlatPress CMS admin panel version latest allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting XSS attack if the uploaded file is accessed by other users. The issue is...
CVE-2024-9699
CVE-2024-9699 affects FlatPress CMS: the file-upload feature in the admin panel allows a JavaScript payload masquerading as a filename, enabling Cross-Site Scripting when the uploaded file is accessed. The issue is described for the default/“latest” release and is stated to be fixed in version 1....
FlatPress 跨站脚本漏洞
FlatPress is a lightweight, easy-to-setup flat file blogging engine from the FlatPress open source. A cross-site scripting vulnerability exists in FlatPress, which stems from a JavaScript payload masquerading as a filename in the file upload function, which could lead to a cross-site scripting...
CVE-2025-26659
SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting XSS vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the...
CVE-2025-26659 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to DOM-basedCross-Site Scripting XSS vulnerability. This allows an attacker with no privileges, to craft a malicious web message that exploits WEBGUI functionality. On successful exploitation, the...
CVE-2025-0054
SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web...
CVE-2025-0054 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java
SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web...
CVE-2025-0054
CVE-2025-0054 describes a stored cross-site scripting vulnerability in SAP NetWeaver Application Server Java caused by insufficient input handling. Attackers with basic user privileges can store a JavaScript payload on the server, which may be executed in other users’ browsers when affected pages...
CVE-2025-0054 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java
SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web...
CVE-2025-1175
Reflected Cross-Site Scripting XSS vulnerability in Kelio Visio 1, Kelio Visio X7 and Kelio Visio X4, in versions between 3.2C and 5.1K. This vulnerability could allow an attacker to execute a JavaScript payload by making a POST request and injecting malicious code into the editable ‘username’...
CVE-2025-1175 Cross-Site Scripting (XSS) vulnerability in Kelio Visio
Reflected Cross-Site Scripting XSS vulnerability in Kelio Visio 1, Kelio Visio X7 and Kelio Visio X4, in versions between 3.2C and 5.1K. This vulnerability could allow an attacker to execute a JavaScript payload by making a POST request and injecting malicious code into the editable ‘username’...
CVE-2025-1175
The vulnerability CVE-2025-1175 is a Reflected Cross-Site Scripting (XSS) in Kelio Visio 1, Kelio Visio X7, and Kelio Visio X4, affecting versions 3.2C through 5.1K. The issue occurs in the editable ‘username’ parameter of the endpoint "/PageLoginVisio.do" and can be triggered by a POST request t...
CVE-2025-1076
A Stored Cross-Site Scripting Stored XSS vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable ‘name’ and ‘icon’ parameters of the Activities functionality...
CVE-2025-1076
A Stored Cross-Site Scripting Stored XSS vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable ‘name’ and ‘icon’ parameters of the Activities functionality...
CVE-2025-1076 Stored Cross-Site Scripting vulnerability in Holded
A Stored Cross-Site Scripting Stored XSS vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable ‘name’ and ‘icon’ parameters of the Activities functionality...
CVE-2025-1076 Stored Cross-Site Scripting vulnerability in Holded
A Stored Cross-Site Scripting Stored XSS vulnerability has been found in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within the editable ‘name’ and ‘icon’ parameters of the Activities functionality...
CVE-2025-1076
CVE-2025-1076 describes a Stored XSS vulnerability in Holded’s application, affecting the editable name and icon fields within the Activities feature. The root cause is storing a JavaScript payload in those parameters, enabling an attacker to inject script via standard input fields. The issue is ...