59096 matches found
CVE-2023-53928 PHPFusion 9.10.30 Stored Cross-Site Scripting via File Manager Upload
PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session...
CVE-2023-53927
The CVE-2023-53927 issue affects PHPJabbers Simple CMS 5.0. It is a stored cross-site scripting vulnerability in the section name parameter, allowing authenticated attackers to insert JavaScript payloads that execute when administrators view sections. The risk is described as client-side code exe...
CVE-2023-53925 UliCMS 2023.1 Stored Cross-Site Scripting via SVG File Upload
UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files through the file management interface that execute arbitrary scripts when viewed by other users...
CVE-2023-53906
CVE-2023-53906 (projectSend r1605) is a stored cross-site scripting vulnerability where authenticated administrators can inject JavaScript via the custom assets configuration page. A payload placed in the custom assets section executes when other users load the affected page, enabling persistent ...
CVE-2025-68401
ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser stored XSS. In affected contexts...
CVE-2025-65233
Reflected cross-site scripting XSS in SLiMS slims9bulian before 9.6.0 via improper handling of $SERVER'PHPSELF' in index.php/sysconfig.inc.php, which allows remote attackers to execute arbitrary JavaScript in a victim's browser by supplying a crafted URL path...
CVE-2023-53895
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account,...
CLSA-2025-1765986482 webkit2gtk3: Fix of 4 CVEs
CVE-2025-13502: fix out of bounds read and integer underflow by adding bounds checking and validating message delimiters - CVE-2025-43430: fix bbq jit compiler writing to wrong stack slots in wasm try/catch blocks - CVE-2025-43421: fix memory handling issues that cause unexpected process crashes...
CVE-2025-43529
A flaw was found in webkitgtk where when processing a maliciously crafted web content a use-after-free type of weaknesses may be triggered leading to a remote code execution in the client machine. Mitigation To mitigate this issue, avoid processing untrusted web content. Additionally, disabling t...
Security update for MozillaFirefox
This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.6.0 ESR bsc1254551. MFSA 2025-94 CVE-2025-14321: use-after-free in the WebRTC: Signaling component. CVE-2025-14322: sandbox escape due to incorrect boundary conditions in the Graphics:...
SUSE-SU-2025:4424-1 Security update for MozillaFirefox
This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.6.0 ESR bsc1254551. - MFSA 2025-94 CVE-2025-14321: use-after-free in the WebRTC: Signaling component. CVE-2025-14322: sandbox escape due to incorrect boundary conditions in the Graphics:...
Security Bulletin: IBM watsonx Orchestrate Developer Edition is vulnerable to Cross-site Scripting due to serialize-javascript
Summary serialize-javascript is used by IBM watsonx Orchestrate Developer Edition as part of wxo-chat image Vulnerability Details CVEID:CVE-2024-11831 DESCRIPTION: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly...
CVE-2025-14284
A flaw was found in @tiptap/extension-link. This vulnerability allows an attacker to execute arbitrary JavaScript JS code via unsanitized user input when setting or toggling links, by injecting a javascript: Uniform Resource Locator URL payload. Mitigation Mitigation for this issue is either not...
CVE-2025-67641
Jenkins Coverage Plugin 2.3054.ve1ff7baa123b and earlier does not validate the configured coverage results ID when creating coverage results, only when submitting the job configuration through the UI, allowing attackers with Item/Configure permission to use a javascript: scheme URL as identifier ...
SUSE CVE-2017-18871
An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3.4, and 4.2.2. It allows attackers to cause a denial of service application crash via an @ character before a JavaScript field name...
ChurchCRM 跨站脚本漏洞
ChurchCRM is an open source church management system. ChurchCRM suffers from a cross-site scripting vulnerability that stems from insufficient cleanup and coding when storing user-entered HTML/JS, which can be exploited by an attacker to execute arbitrary Web script or HTML by injecting a crafted...
PT-2025-51949
Name of the Vulnerable Software and Affected Versions Textpattern CMS version 4.8.8 Description Textpattern CMS contains a stored cross-site scripting issue in the article excerpt field. Authenticated users can inject malicious scripts into the excerpt. When an article is viewed by other users, t...
UliCMS 跨站脚本漏洞
UliCMS is a content management system CMS open source by UliCMS. The system supports features such as access control and WYSIWYG editing. A cross-site scripting vulnerability exists in UliCMS version 2023.1, which stems from the fact that an attacker can upload a malicious SVG file with embedded...
PT-2025-51966
Name of the Vulnerable Software and Affected Versions PHPFusion version 9.10.30 Description The software contains a stored cross-site scripting issue in the file manager. Attackers can upload malicious SVG files containing embedded JavaScript. These files, when viewed, can execute arbitrary...
PT-2025-51981
Name of the Vulnerable Software and Affected Versions affected versions not specified Description A flaw exists in the file upload process within the bookmark and asset rendering pipeline. An attacker can upload a malicious SVG file containing JavaScript code. When an authenticated administrator...