EUVD-2021-1124

Malware in sbrugna...

Cross Site Scripting

OroCommerce is vulnerable to Cross Site Scripting. The vulnerability is due to improper validation or sanitization of the product name parameter when adding a note to the shopping list line. This can be exploited by the attacker by injecting malicious JS payload to the product name...

CVE-2022-35950

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...

Design/Logic Flaw

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...

CVE-2022-35950 OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...

XSS vulnerability in translations

Summary An attacker with admin privileges and access to Translations management functionality may add JS payload to translation values via: - Translation management UI. - Translations downloaded via the Crowdin service may also contain JS strings used for XSS attacks, for a successful attack...

GHSA-RRGW-3HG3-9X8C XSS vulnerability in translations

Summary An attacker with admin privileges and access to Translations management functionality may add JS payload to translation values via: - Translation management UI. - Translations downloaded via the Crowdin service may also contain JS strings used for XSS attacks, for a successful attack...

X (Formerly Twitter): Reflected XSS in twitterflightschool.com

While testing twitterflightschool.com, I came across the below endpoint: https://twitterflightschool.com/authentication/fbcallback?error=accessdenied&errorcode=200&errordescription= I noticed that it is possible to inject JS payload in "errordescription=" parameter and trigger XSS in...

jpvdYKiLAUi4eai

A Remote Browser's Agent XSS is a piece of software that allows a remote "operator" to control a browser as if he has physical access to that system. While desktop sharing and remote administration have many legal uses, "XSS" software is usually associated with criminal or malicious activity...

wbNj8EIMfXlmDDE

A Remote Browser's Agent XSS is a piece of software that allows a remote "operator" to control a browser as if he has physical access to that system. While desktop sharing and remote administration have many legal uses, "XSS" software is usually associated with criminal or malicious activity...

vBulletin 5.1.x - Persistent Cross-Site Scripting

Title: vBulletin 5.1.X - Cross Site Scripting Date: 05.09.14 Version: = 5.1.2 Latest ATM Vendor: vbulletin.com Contact: smash at devilteam.pl 1 Agenda Latest vBulletin forum software suffers on persistent cross site scripting vulnerability, which most likely can be used against every user, such a...

Google Android - 'content://' URI Multiple Information Disclosure Vulnerabilities

Android Data Stealing Web PageClick: Malicious Link"; // Stage 1: Redirect to Stage 2 which will force a download of the HTML/JS payload, then a few seconds later redirect...