Silverpeas Core 跨站脚本漏洞

Silverpeas Core is an open source project from Silverpeas Open Source for building and running collaborative and social web portals. A cross-site scripting vulnerability exists in Silverpeas Core version 6.4.1. An attacker can exploit this vulnerability to execute arbitrary JavaScript code...

CVE-2024-56923

Stored Cross-Site Scripting XSS Vulnerability in the Categorization Option of My Subscriptions Functionality in Silverpeas Core 6.3.1 = 6.4.1 allows a remote attacker to execute arbitrary JavaScript code. This is achieved by injecting a malicious payload into the Name field of a subscription. The...

CVE-2024-56924

CVE-2024-56924 affects Code Astro Internet Banking System 2.0.0. The vulnerability is a Cross Site Request Forgery (CSRF) that can allow remote attackers to have an authenticated admin execute arbitrary JavaScript on the admin page (pages_account), potentially changing account settings or exfiltr...

GHSA-79XX-VF93-P7CX Cross-Site Scripting (XSS) vulnerability in generateNavigation() function in PhpSpreadsheet

Summary The researcher discovered zero-day vulnerability Cross-Site Scripting XSS vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response. Details When generating the HTML from an xlsx file containing multiple sheets, a navigation menu i...

Authenticated Stored XSS in YesWiki

Authenticated Stored XSS in YesWiki wiki-href'upload', $this-wiki-GetPageTag, "file=$this-file" . '" class="btn btn-primary" ' . t'UPLOADFILE' . ' ' . $this-file . ''; The file name attribute is not properly sanitized when returned to the client, therefore allowing the execution of malicious...

GHSA-W59H-3X3Q-3P6J Authenticated Stored XSS in YesWiki

Authenticated Stored XSS in YesWiki wiki-href'upload', $this-wiki-GetPageTag, "file=$this-file" . '" class="btn btn-primary" ' . t'UPLOADFILE' . ' ' . $this-file . ''; The file name attribute is not properly sanitized when returned to the client, therefore allowing the execution of malicious...

CVE-2025-0583

The a+HRD from aEnrich Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks...

CVE-2025-23207 \htmlData does not validate attribute names in KaTeX

KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade t...

CVE-2025-23207 \htmlData does not validate attribute names in KaTeX

KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade t...

CVE-2025-23207

KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML. Users are advised to upgrade t...

GHSA-CG87-WMX4-V546 KaTeX \htmlData does not validate attribute names

Impact KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML. Patches Upgrade to KaTeX v0.16.21 to remove this vulnerability. Workarounds - Avoid use of or turn off the...

CVE-2024-47140

A cross-site scripting xss vulnerability exists in the addalertcheck page of Observium CE 24.4.13528. A specially crafted HTTP request can lead to a arbitrary javascript code execution. An authenticated user would need to click a malicious link provided by the attacker...

CVE-2024-45061

A cross-site scripting xss vulnerability exists in the weather map editor functionality of Observium CE 24.4.13528. A specially crafted HTTP request can lead to a arbitrary javascript code execution. An authenticated user would need to click a malicious link provided by the attacker...

PT-2025-7271 · Weeek · Weeek

Name of the Vulnerable Software and Affected Versions: WEEEK affected versions not specified Description: The issue is related to the lack of protection for the web page structure in the WEEEK task and project management service. This could allow a remote attacker to execute arbitrary JavaScript...

Observium mapname cross-site scripting (XSS) vulnerability

Talos Vulnerability Report TALOS-2024-2092 Observium mapname cross-site scripting XSS vulnerability January 15, 2025 CVE Number CVE-2024-45061 SUMMARY A cross-site scripting xss vulnerability exists in the weather map editor functionality of Observium CE 24.4.13528. A specially crafted HTTP reque...

Observium add_alert_check cross-site scripting (XSS) vulnerability

Talos Vulnerability Report TALOS-2024-2090 Observium addalertcheck cross-site scripting XSS vulnerability January 15, 2025 CVE Number CVE-2024-47140 SUMMARY A cross-site scripting xss vulnerability exists in the addalertcheck page of Observium CE 24.4.13528. A specially crafted HTTP request can...

PT-2025-2922 · Rancher +1 · Rancher +1

Name of the Vulnerable Software and Affected Versions: Rancher versions 2.9.0 through 2.9.3 Description: A vulnerability in the Rancher UI allows a malicious actor to perform a Stored XSS attack through the cluster description field. This issue affects Rancher versions from 2.9.0 to 2.9.3. The...

CVE-2025-22142 Cross-site Scripting in NamelessMC

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In affected versions an admin can add the ability to have users fill out an additional field and users can inject javascript code into it that would be activated once a staffer visits the user's profile on staff...

PT-2025-7268 · Weeek · Weeek

Name of the Vulnerable Software and Affected Versions: WEEEK affected versions not specified Description: The issue is related to the lack of protection for the web page structure in the WEEEK task and project management service. This could allow a remote attacker to execute arbitrary JavaScript...

CVE-2024-46073

A reflected Cross-Site Scripting XSS vulnerability exists in the login page of IceHRM v32.4.0.OS. The vulnerability is due to improper sanitization of the "next" parameter, which is included in the application's response without adequate escaping. An attacker can exploit this flaw by tricking a...