CVE-2020-27783

A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code...

Glassdoor: Reflected XSS at https://www.glassdoor.com/ via the 'numSuggestions' parameter

Hi there, I have found the xss vulnerability at: https://www.glassdoor.com/ via parameter: numSuggestions Summary: Affected Parameter: numSuggestions Browsers tested: Firefox, Chrome, Edge latest version Steps To Reproduce: Go to:...

CVE-2020-7749

This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ... . As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which...

CVE-2020-7749 Server-side Request Forgery (SSRF)

This affects all versions of package osm-static-maps. User input given to the package is passed directly to a template without escaping ... . As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the page which...

U.S. Dept Of Defense: Reflected XSS on https://████/ (Bypass of #1002977)

Hello DoD team, Third time a charm :- I really cannot explain what is going on with this ██████████ website, You just locked the report so i can't comment there, but it seems it works right now and i have proof of a video with time stamp. I am talking about 1002977, i hope you will see this fast...

Shopify: xss on polaris.shopify.com/demo using postMessage

Description it's possible to run arbitrary js code using https://polaris.shopify.com/demo + postMessage following codes are from this file which formatted using prettier Demo component line 381 uses addEventListener to listen for message events line 401: js componentDidMount...

DuckDuckGo: DOM XSS on duckduckgo.com search

Hello, The is a DOM XSS vulnerability on https://duckduckgo.com search through the norw parameter. PoC URL: https://duckduckgo.com/?q=a&norw=" Screenshot: F820482 Impact The attacker can execute JS code...

CVE-2020-8115

A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver = 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older version...

Cross site scripting

A reflected XSS vulnerability has been discovered in the publicly accessible afr.php delivery script of Revive Adserver = 5.0.3 by Jacopo Tediosi. There are currently no known exploits: the session identifier cannot be accessed as it is stored in an http-only cookie as of v3.2.2. On older version...

OWOX, Inc.: The URL in "Choose a data source'' at "https://bi.owox.com/ui/settings/connected-services/setup/" is not filtered => reflected XSS.

Hi team, This is another report with 732987. Because it is completely independent Detail -- In the process of selecting the data source at https://bi.owox.com/ui/settings/connected-services/setup/, I found a reflected XSS. Specifically, when you click on Google Analytics, a page will appear for y...

OWOX, Inc.: Reflected XSS

Hi team, I have found an XSS at https://bi.owox.com/ui/6177527534dc114eb07fa829e4ce4d28/dashboard/?trial=activated Because the input is not properly filtered, resulting in XSS being executed Vulnerable area: ----- 6177527534dc114eb07fa829e4ce4d28 The URL will now be:...

Starbucks: Reflected XSS in https://www.starbucks.com/account/create/redeem/MCP131XSR via xtl_amount, xtl_coupon_code, xtl_amount_type parameters

HI, Summary: Reflected XSS Description: the parameters are complementary to each other Platforms Affected: my browser firefox 52.7.3 Steps To Reproduce: 1. go to https://www.starbucks.com/account/create/redeem/MCP131XSR?xtlcouponcode=1&xtlcouponcode=81431&xtlamount=0.0&xtlamounttype=DOLLARVALUE 1...

CVE-2019-7340

POST - Cross Site Scripting XSS exists in ZoneMinder through 1.32.3, allowing an attacker to execute HTML or JavaScript code via a vulnerable 'filterQueryterms0val' parameter value in the view filter filter.php because proper filtration is omitted...

CVE-2018-1000513

LimeSurvey 3.0.0-beta.3+17110 contains an XSS in Boxes that can execute JavaScript in admin sessions. The vulnerability arises from the program failing to filter the Destination parameter and could be exploited remotely; it is stated to be fixed in 3.6.x. Connected sources corroborate the XSS imp...

CVE-2018-1000513

LimeSurvey version 3.0.0-beta.3+17110 contains a Cross Site Scripting XSS vulnerability in Boxes that can result in JS code execution against LimeSurvey admins. This vulnerability appears to have been fixed in 3.6.x...

CVE-2018-1325

In Apache wicket-jquery-ui = 6.29.0, = 7.10.1, = 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display...

CVE-2018-1325

In Apache wicket-jquery-ui = 6.29.0, = 7.10.1, = 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display...

Design/Logic Flaw

In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor...

CVE-2017-15719

In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor...

CVE-2017-15719

In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M8 and earlier, a security issue has been discovered in the WYSIWYG editor that allows an attacker to submit arbitrary JS code to WYSIWYG editor...