GHSA-G6WW-2X43-H963 Cross-site scripting in Apache JSPWiki

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victi...

Cross-site scripting in Apache JSPWiki

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the plain editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victi...

Cobham EXPLORER 710 Multiple Security Vulnerabilities

Description Cobham EXPLORER 710 is prone to multiple security vulnerabilities: 1. Multiple security weaknesses 2. Multiple access-bypass vulnerabilities 3. An information-disclosure vulnerability 4. An arbitrary file upload vulnerability An attacker may exploit these issues to perform certain...

SAP Customer Relationship Management CVE-2019-0368 Cross Site Scripting Vulnerability

Description SAP Customer Relationship Management CRM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the...

Cross-Site Scripting

Overview Versions of @novnc/novnc prior to 0.6.2 are vulnerable to Cross-Site Scripting XSS. The package fails to validate input from the remote VNC server such as the VNC server name. This allows an attacker in control of the remote server to execute arbitrary JavaScript in the noVNC web page. I...

WebKit - Universal XSS in WebCore::command

WebKit - Universal XSS in WebCore::command frame = document-frame; if !frame || frame-document != document // 1 return Editor::Command; document-updateStyleIfNeeded; // 2 return frame-editor.commandcommandName, userInterface ? CommandFromDOMWithUserInterface : CommandFromDOM; bool...

CVE-2019-12407

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the remember parameter on some of the JSPs, which could allow the attacker to execute javascript in the victim's browser and get some sensitive...

CVE-2019-10089

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the WYSIWYG editor, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the...

Information disclosure

On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Page Revision History, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about...

CVE-2019-10670

An issue was discovered in LibreNMS through 1.47. Many of the scripts rely on the function mysqliescaperealstring for filtering data. However, this is particularly ineffective when returning user supplied input in an HTML or a JavaScript context, resulting in unsafe data being injected into these...

CVE-2019-10670

CVE-2019-10670 affects LibreNMS (up to at least 1.47) due to improper filtering in several scripts using mysqli_escape_real_string, which is ineffective for user input in HTML/JavaScript contexts. This can lead to attacker-controlled JavaScript execution in the affected web interface (notably in ...

CVE-2019-10670

An issue was discovered in LibreNMS through 1.47. Many of the scripts rely on the function mysqliescaperealstring for filtering data. However, this is particularly ineffective when returning user supplied input in an HTML or a JavaScript context, resulting in unsafe data being injected into these...

Lenovo XClarity Administrator Cross-Site Scripting Vulnerability (CNVD-2019-34807)

Lenovo XClarity Administrator LXCA is a centralized resource management solution from Lenovo, China. The product is capable of providing agentless hardware management for servers, storage, network switches, and more. A cross-site scripting vulnerability exists in Lenovo XClarity Administrator. An...

CVE-2019-6181

A reflected cross-site scripting XSS vulnerability was reported in Lenovo XClarity Administrator LXCA versions prior to 2.5.0 that could allow a crafted URL, if visited, to cause JavaScript code to be executed in the user's web browser. The JavaScript code is not executed on LXCA itself...

The vulnerability of the `defaults` function in the Lodash library allows a attacker to trigger a service failure, execute arbitrary JavaScript code, or increase their privileges.

The vulnerability of the defaults function in the Lodash library is related to insufficient validation of input data. Exploiting this vulnerability can allow an attacker to cause service failures, execute arbitrary JavaScript code, or enhance their privileges...

WebKit - UXSS via XSLT and Nested Document Replacements Exploit

VULNERABILITY DETAILS https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/xml/XSLTProcessor.cppL66 Ref XSLTProcessor::createDocumentFromSourceconst String& sourceString, const String& sourceEncoding, const String& sourceMIMEType, Node sourceNode, Frame frame Ref...

WebKit - UXSS via XSLT and Nested Document Replacements

VULNERABILITY DETAILS https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/xml/XSLTProcessor.cppL66 Ref XSLTProcessor::createDocumentFromSourceconst String& sourceString, const String& sourceEncoding, const String& sourceMIMEType, Node sourceNode, Frame frame Ref...

CVE-2019-14770

In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. This issue is mitigated by the attacker needing permissions to create...

Sql injection

In Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3, some menu links within the administration bar may be crafted to execute JavaScript when the administrator is logged in and uses the search functionality. This issue is mitigated by the attacker needing permissions to create...

CVE-2019-14770

CVE-2019-14770 affects Backdrop CMS 1.12.x before 1.12.8 and 1.13.x before 1.13.3. An attacker who can create administrative menu links (roles with such permissions) can craft menu links in the admin bar to execute JavaScript when an administrator using the search function is logged in. The root ...