5946 matches found
CVE-2019-25027 Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 Vaadin 10.0.0 through 10.0.13, and 1.1.0 through 1.4.2 Vaadin 11.0.0 through 13.0.5 allows attacker to execute malicious JavaScript via crafted URL...
CVE-2021-29467 Self-XSS
Wrongthink is an encrypted peer-to-peer chat program. A user could check their fingerprint into the service and enter a script to run arbitrary JavaScript on the site. No workarounds exist, but a patch exists in version 2.4.1...
CVE-2021-29467
CVE-2021-29467 affects the Wrongthink encrypted peer‑to‑peer chat program. The vulnerability allows a user to check their fingerprint into the service and enter a script to run arbitrary JavaScript on the site, indicating a cross‑site scripting issue. The description notes no workarounds, and a p...
Parabirb wrongthink 跨站脚本漏洞
Parabirb wrongthink is Parabirb an open source application . It provides an end-to-end encryption feature. A security vulnerability exists in Wrongthink version 2.4.1 that allows users to enter their fingerprint into the service and enter a script to run arbitrary JavaScript on the site...
CVE-2020-28141
The messaging subsystem in the Online Discussion Forum 1.0 is vulnerable to XSS in the message body. An authenticated user can send messages to arbitrary users on the system that include javascript that will execute when viewing the messages page...
Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13
Missing output sanitization in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.10 Vaadin 10.0.0 through 10.0.13, and 1.1.0 through 1.4.2 Vaadin 11.0.0 through 13.0.5 allows attacker to execute malicious JavaScript via crafted URL. -...
PT-2021-24349 · Unknown · Molecularfaces
Name of the Vulnerable Software and Affected Versions: MolecularFaces versions prior to 0.3.0 Description: The issue allows a remote attacker to execute arbitrary JavaScript in the context of a victim browser via crafted molfiles. This is due to the viewer plugin implementation of rendering molfi...
CVE-2021-21087 ColdFusion Improper neutralization of web input during page generation could lead to arbitrary JavaScript execution in the browser
Adobe Coldfusion versions 2016 update 16 and earlier, 2018 update 10 and earlier and 2021.0.0.323925 are affected by an Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability. An attacker could abuse this vulnerability to execute arbitrary JavaScript code...
MTN Group: Cross-site Scripting (XSS) - Reflected on http://h1b4e.n2.ips.mtn.co.ug:8080 via Nginx-module
The Cross-site Scripting XSS vulnerability was discovered on http://h1b4e.n2.ips.mtn.co.ug:8080 via the Nginx module. The vulnerability allowed the injection of arbitrary JavaScript code through the URL, which could be executed in the victim's browser...
Web-School ERP Cross-Site Scripting Vulnerability (CNVD-2021-28278)
Web-School ERP is a school management software for schools and educational organizations. A stored cross-site scripting vulnerability exists in the Activity Name and Description fields in Web-School ERP version 5.0. An attacker can exploit the vulnerability to inject and execute JavaScript code...
Python Bleach 跨站脚本漏洞
Python Bleach is a Python based HTML cleanup library. Python Bleach suffers from a cross-site scripting vulnerability that can be exploited by an attacker to trigger cross-site scripting in order to run JavaScript code in the context of a website...
CVE-2021-24206
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget includes/widgets/image-box.php accepts a ‘titlesize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a...
CVE-2021-24176
The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard...
CVE-2021-24201
In the Elementor Website Builder WordPress plugin before 3.1.4, the column element includes/elements/column.php accepts an ‘htmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modified...
CVE-2021-24202
In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget includes/widgets/heading.php accepts a ‘headersize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modifie...
Design/Logic Flaw
In the Elementor Website Builder WordPress plugin before 3.1.4, the column element includes/elements/column.php accepts an ‘htmltag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a...
Design/Logic Flaw
In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget includes/widgets/heading.php accepts a ‘headersize’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a modifie...
CVE-2021-24206
CVE-2021-24206 affects the Elementor Website Builder WordPress plugin prior to 3.1.4. The image box widget (image-box.php) accepts a title_size parameter that is not properly sanitized. An authenticated user with Contributor+ can submit a modified save_builder request containing JavaScript in tit...
CVE-2021-24201
Vulnerability summary (CVE-2021-24201): In the Elementor Website Builder WordPress plugin prior to 3.1.4, the column element (includes/elements/column.php) accepts an html_tag parameter. A user with Contributor+ permissions can send a modified save_builder request containing JavaScript in html_ta...
CVE-2021-1748
A validation issue was addressed with improved input sanitization. This issue is fixed in tvOS 14.4, watchOS 7.3, iOS 14.4 and iPadOS 14.4. Processing a maliciously crafted URL may lead to arbitrary javascript code execution...