IBM Content Navigator Cross-Site Scripting Vulnerability (CNVD-2021-32636)

IBM Content Navigator is a Web client from IBM USA. The product supports searching and processing documents stored in content servers from a Web browser. A cross-site scripting vulnerability exists in IBM Content Navigator version 3.0.CD. An attacker can exploit the vulnerability to embed arbitra...

CVE-2021-24205

In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget includes/widgets/icon-box.php accepts a ‘titlesize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modifi...

BaserCMS JavaScript Input Improper Neutralization Vulnerability (CNVD-2021-23789)

BaserCMS is an open source enterprise-level content management system cms. A JavaScript Input Improper Neutralization vulnerability exists in the page editing feature in BaserCMS versions prior to 4.4.5. A remote authenticated attacker can exploit this vulnerability to inject arbitrary scripts...

CVE-2021-29009

SEO Panel 4.8.0 is affected by a cross-site scripting (XSS) vulnerability. The issue arises in archive.php via the type parameter, allowing remote attackers to inject JavaScript. Documented impact includes partial integrity and low confidentiality impact with network attack vector and user intera...

Sticky Notes Apps Using JavaScript 1.0 Cross Site Scripting Vulnerability

Exploit Title: Sticky Note Apps using JavaScript | Stored Cross Site Scripting Exploit Author: Richard Jones Vendor Homepage: https://www.sourcecodester.com/javascript/14742/sticky-note-apps-using-javascript-source-code.html Software Link:...

Prototype Pollution

Overview set-deep-prop is a Set the value of a deeply nested object or array Affected versions of this package are vulnerable to Prototype Pollution via the main functionality. PoC const setDeepProp = require'set-deep-prop'; setDeepProp,'proto', 'x', 'polluted'; console.log.a; // polluted Details...

Prototype Pollution

Overview tree-kit is a Tree utilities which provides a full-featured extend and object-cloning facility, and various tools to deal with nested object structures. Affected versions of this package are vulnerable to Prototype Pollution via dotPath.set. PoC: const dotPath = require'tree-kit'...

Cross-Site Scripting (XSS)

vrana/adminer is vulnerable to Cross-Site Scripting XSS. The vulnerability exists due to unsanitized history parameter allowing an attacker to inject malicious javascript code...

Authentication flaw

An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to extract information from the device without authentication by disabling JavaScript and visiting /info.asp...

Microsoft Edge 安全漏洞

Microsoft Edge is a web browser from the American company Microsoft that comes with systems after Windows 10. A security feature bypass vulnerability exists in Microsoft Edge Chromium, which can be exploited by an attacker who can run code by copying and pasting Microsoft Edge Chromium's Javascri...

Prototype Pollution

Overview rfc6902 is a Complete implementation of RFC6902 patch and diff Affected versions of this package are vulnerable to Prototype Pollution. It may allow attackers to inject or modify the methods and properties of the global object constructor. PoC // poc.js var rfc6902 = require"rfc6902" var...

Prototype Pollution

Overview prototyped.js is a Common typescript ready prototypes available in both es5 and es6 Affected versions of this package are vulnerable to Prototype Pollution. PoC const set = require"prototyped.js/dist/object/set".default; console.log"Prototype before set", .isAdmin; set, "proto.isAdmin",...

SUSE-SU-2021:0246-1 Security update for MozillaFirefox

This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 78.7.0 ESR MFSA 2021-04, bsc1181414 CVE-2021-23953: Fixed a Cross-origin information leakage via redirected PDF requests CVE-2021-23954: Fixed a type confusion when using logical assignment operators in...

Wing FTP Cross-Site Scripting Vulnerability

Wing FTP Server is a cross-platform FTP server software. A cross-site scripting vulnerability exists in Wing FTP version 6.4.4, where an arbitrary IFRAME element can be included in a help page via a specially crafted link, which can be exploited by an attacker to execute sandbox arbitrary HTML an...

PT-2020-18228 · Ibm · Ibm Content Navigator +1

Name of the Vulnerable Software and Affected Versions: IBM FileNet Content Manager and IBM Content Navigator version 3.0.CD Description: The issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure...

Prototype Pollution

Overview Affected versions of this package are vulnerable to Prototype Pollution. The vulnerability is in the extend function. PoC const decal = require'decal'; console.log'Before:', .polluted; const o = JSON.parse'"proto":"polluted":"1"'; decal.extend, true, o; console.log'After:', .polluted;...

Stripo Inc: Non-revoked API Key Disclosure in a Disclosed API Key Disclosure Report on Stripo

Summary: Can you imagine discovering an API key disclosure vulnerability in a disclosed API key disclosure report? The same thing is what I came across while going through the disclosed reports at Stripo Inc. Plus, the disclosed API key isn't even revoked, and therefore I am still able to use the...

U.S. Dept Of Defense: hardcoded password stored in javascript of https://████.mil

Summary: I have discovered a cleartext password stored within a javascript. This password allows me to authentication to https://█████.mil. Description: I have discovered a cleartext password stored within a javascript. This password allows me to authentication to https://███████.mil. To confirm...

Prototype Pollution

Overview doc-path is an A document path library for Node Affected versions of this package are vulnerable to Prototype Pollution. PoC javascript const path = require'doc-path'; let obj = ; console.log"Before : " + obj.polluted; path.setPath, 'proto.polluted', "yes"; console.log"After : " +...

0x0.icu.anima (=0.1.0), 1.1.0 (=1.0.0) +15458 more potentially affected by CVE-2020-7660 via serialize-javascript (>=1.0.0 <=3.0.0)

serialize-javascript NPM version =1.0.0, =6.2.0, =0.1.0, =0.0.1, =2.0.0, =0.1.0, =1.0.1, =0.1.0, =0.24.0, =0.29.0 and more Source cves: CVE-2020-7660 Source advisory: OSV:GHSA-HXCC-F52P-WC94...