Cross-site Scripting (XSS) - Stored in getgrav/grav

Description Grav is vulnerable to XSS. It is possible to use instead of : in tags. Proof of Concept Payload: HTML CLICK HERE 1: Edit a page with the payload user with low privileges. 2: Check out the target page and click on CLICK HERE. PoC video. Impact This vulnerability is capable of executing...

EulerOS 2.0 SP5 : python-lxml (EulerOS-SA-2021-2517)

According to the versions of the python-lxml package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms argument...

EulerOS 2.0 SP8 : python-lxml (EulerOS-SA-2021-2483)

According to the versions of the python-lxml packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safeattrsonly and forms...

EulerOS 2.0 SP2 : python-lxml (EulerOS-SA-2021-2431)

According to the version of the python-lxml package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different...

U.S. Dept Of Defense: Open Akamai ARL XSS on http://master-config-████████

The Open Akamai ARL on http://master-config-████████ was found to be vulnerable to a Reflected Cross Site Scripting XSS vulnerability. The vulnerability was discovered in the "what" and "where" parameters of the search functionality. The vulnerability allowed the execution of arbitrary JavaScript...

Cross site request forgery (csrf)

Cross Site Request Forgery CSRF vulnerability exists in EyouCMS 1.3.6 that can add an htm page to execute the js code via login.php?m=admin&c=Filemanager&a=newfile&lang=cn...

Cross-site Scripting (XSS) - Stored in kalcaddle/kodexplorer

✍️ Description XSS via SVG file Upload 🕵️‍♂️ Proof of Concept upload the svg file with xss payload and open it with browser alertdocument.domain; 💥 Impact Custom JS code execution embedded with in the svg file...

OTRS Cross-Site Scripting Vulnerability (CNVD-2021-57225)

OTRS is an application of the German company OTRS. A cross-site scripting vulnerability exists in OTRS AG Time Accounting, which stems from the ability to inject malicious JS code into specific fields during the project creation screen. No details of the vulnerability are currently available...

CVE-2021-21442

CVE-2021-21442 describes a cross-site scripting (XSS) vulnerability in OTRS Time Accounting. The issue allows injecting malicious JavaScript into fields on the project creation screen, with potential execution in the Reporting screen. Affected product: OTRS Time Accounting 7.0.x prior to 7.0.19. ...

Medium: python-lxml

Issue Overview: A Cross-site Scripting XSS vulnerability was found in the python-lxml's clean module. The module's parser did not properly imitate browsers, causing different behaviors between the sanitizer and the user's page. This flaw allows a remote attacker to run arbitrary HTML/JS code. The...

Cross-site Scripting (XSS) - Stored in livehelperchat/fbmessenger

✍️ Description The Facebook notifications of livehelperchat fbmessenger extension can be modified listing new notifications. However, the template is used incorrectly resulting in a CSTI injection which leads to stored XSS. 🕵️‍♂️ Proof of Concept Install the livechat Install fbmessenger extension...

MGASA-2021-0246 Updated python-lxml packages fix a security vulnerability

An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

Updated python-lxml packages fix a security vulnerability

An XSS vulnerability was discovered in python-lxml’s clean module versions before 4.6.3. When disabling the safeattrsonly and forms arguments, the Cleaner class does not remove the formaction attribute allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run...

CVE-2020-35971

A storage XSS vulnerability is found in YzmCMS v5.8, which can be used by attackers to inject JS code and attack malicious XSS on the /admin/systemmanage/userconfigedit.html page...

CVE-2020-35971

CVE-2020-35971 concerns a storage XSS in YzmCMS v5.8 affecting the page /admin/system_manage/user_config_edit.html . The vulnerability allows attackers to inject JavaScript/HTML, implying persistent script execution via stored payloads. The connected CNVD/CNNVD records describe a cross-site scrip...

GHSA-PXCF-V868-M492 Injection and Cross-site Scripting in osm-static-maps

This affects all versions of package osm-static-maps under 3.9.0. User input given to the package is passed directly to a template without escaping ... . As such, it is possible for an attacker to inject arbitrary HTML/JS code and depending on the context. It will be outputted as an HTML on the...

Cross-site Scripting (XSS) - Stored in forkcms/forkcms

✍️ Description The forkcms is vulnerable to XSS through image name edition. 🕵️‍♂️ Proof of Concept 1. With an authenticated user, access http://localhost/private/en/medialibrary/mediaitemindex. 2. Click on New media. 3. Upload any image and then click on Back to overview. 4. With the image...

MTN Group: Cross-site Scripting (XSS) - Reflected on https://api.mtn.sd/carbon/admin/login.jsp via `msgId` parameter - CVE-2020-17453

A reflected cross-site scripting XSS vulnerability was discovered in the msgId parameter of the login page at https://api.mtn.sd/carbon/admin/login.jsp. This vulnerability allowed an attacker to execute arbitrary JavaScript code in the context of the vulnerable page...

MTN Group: Cross-site Scripting (XSS) - Reflected on http://callertunez.mtn.com.gh/wap/noauth/sharedetail.ftl via `callback` parameter

The vulnerability was a reflected cross-site scripting XSS found on the website http://callertunez.mtn.com.gh/wap/noauth/sharedetail.ftl via the "callback" parameter. The vulnerability allowed the execution of arbitrary JavaScript code...

EulerOS 2.0 SP5 : python-lxml (EulerOS-SA-2021-1701)

According to the version of the python-lxml package installed, the EulerOS installation on the remote host is affected by the following vulnerability : - A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different...