CVE-2018-2485

It is possible for a malicious application or malware to execute JavaScript in a SAP Fiori application. This can include reading and writing of information and calling device specific JavaScript APIs in the application. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues a...

CVE-2018-2485

The CVE-2018-2485 entry relates to SAP Fiori Client where a malicious app can cause the SAP Fiori app to execute JavaScript, enabling reading/writing information and invoking device JS APIs. Connected documents indicate SAP Fiori Client version 1.11.5 in Google Play addresses these issues, and us...

CVE-2018-16474

CVE-2018-16474 concerns the Node.js module tianma-static . Concrete details show that all versions up to 1.0.4 are vulnerable to a stored XSS if an attacker can control the name of a file served by the module. Affected condition: filenames unsanitized, enabling arbitrary JavaScript execution when...

fat_free_crm gem XSS vulnerability via query parameter

FatFreeCRM version =0.15.0 =0.16.0 =0.17.0 =0.17.2, ==0.18.0 contains a Cross Site Scripting XSS vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. This attack appear to be exploitable via Content with Javascript payload will be executed on e...

Advantech WebAccess Cross-Site Scripting Vulnerability (CNVD-2018-21798)

Advantech WebAccess is a set of HMI/SCADA software from Advantech based on browser architecture. The software supports dynamic graphic display and real-time data control, and provides remote control and management of automation equipment. A cross-site scripting vulnerability exists in Advantech...

F5 BIG-IP Cross-Site Scripting Vulnerability (CNVD-2019-01909)

F5 BIG-IP is an all-in-one network device from F5 USA that integrates network traffic management, application security management, load balancing and other functions. A cross-site scripting vulnerability exists in the Configuration utility page in F5 BIG-IP versions 13.0.0-13.1.1.1 and...

ADB Epicentro Code Injection Vulnerability

ADB Epicentro is a set of firmware used in ADB gateway and router devices from ADB Switzerland. A code injection vulnerability exists in the 'form Language' parameter of the /ui/login page in ADB Epicentro version E7.3.2+, which can be exploited to execute JavaScript code by tricking a user into...

GHSA-8P5P-FF7X-HW7Q Cross-Site Scripting in public

Versions of public prior to 0.1.4 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation Upgrade to version 0.1.4 or later...

Cross-Site Scripting in public

Versions of public prior to 0.1.4 are vulnerable to Cross-Site Scripting XSS. The package fails to sanitize filenames, allowing attackers to execute arbitrary JavaScript in the victim's browser through files with names containing malicious code. Recommendation Upgrade to version 0.1.4 or later...

CVE-2018-7633

Code injection in the /ui/login form Language parameter in Epicentro E7.3.2+ allows attackers to execute JavaScript code by making a user issue a manipulated POST request...

CVE-2018-7633

Code injection in the /ui/login form Language parameter in Epicentro E7.3.2+ allows attackers to execute JavaScript code by making a user issue a manipulated POST request...

CVE-2018-1558

IBM Rational Collaborative Lifecycle Management 5.0 through 5.02 and 6.0 through 6.0.6 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure...

CVE-2018-9078

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the Content Explorer application grants users the ability to upload files to shares and this image was rendered in the browser in the device's origin instead of prompting to download the asset. The application does...

CVE-2018-10497

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Email Fixed in version 5.0.02.16. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists...

CVE-2018-10499

This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy Apps Fixed in version 6.4.0.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw...

MyBB Visual Editor 1.8.18 - Cross-Site Scripting

MyBB Visual Editor 1.8.18 - Cross-Site Scripting Title: MyBB Visual Editor 1.8.18 - Cross-Site Scripting Author: Numan OZDEMIR Vendor Homepage: mybb.com Software Link: https://mybb.com/download/ Version: Up to v1.8.18. Fixed in v1.8.19. PoC Video: https://numanozdemir.com/mybb/xss.mp4 CVE:...

BTITeam XBTIT cross-site scripting vulnerability (CNVD-2018-19430)

BTITeam XBTIT is an open source bittorrent tracking system. A cross-site scripting vulnerability exists in BTITeam XBTIT. Attackers can use the 'String.replace' function and 'eval' function to exploit the vulnerability to bypass the includes/crkprotection.php script of the anti-cross-site scripti...

NoSQL Injection

Overview Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection. MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the speci...

OWASP AntiSamy Cross-Site Scripting Vulnerability (CNVD-2018-16313)

OWASP AntiSamy is a library for HTML and CSS coding from the OWASP Foundation in the United States. A cross-site scripting vulnerability exists in the 'AntiSamy.scan' function in OWASP AntiSamy 1.5.7 and earlier versions, which stems from the program failing to filter HTML/HTML5 elements. A remot...

The vulnerability of the microprogramming software of the 4G LTE Light Industrial M2M Router (NWL-25) arises from the lack of measures taken to protect the website structure. This allows attackers to execute arbitrary JavaScript code in the user’s browser.

The vulnerability of the microprogrammed software of the 4G LTE Light Industrial M2M Router NWL-25 is related to the lack of measures taken to protect the website structure. Exploiting this vulnerability allows a malicious actor to execute arbitrary JavaScript code in the user’s browser remotely...