36 matches found
CVE-2021-27931
LumisXP aka Lumis Experience Platform before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service...
EUVD-2024-31071
Malicious code in bioql PyPI...
VulnCheck KEV: CVE-2024-33326
A cross-site scripting XSS vulnerability in the component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the lumPageID parameter...
CVE-2024-33328
A cross-site scripting XSS vulnerability in the component main.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the pageId parameter...
CVE-2024-33327
A cross-site scripting XSS vulnerability in the component UrlAccessibilityEvaluation.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contentHtml parameter...
CVE-2024-33326
A cross-site scripting XSS vulnerability in the component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the lumPageID parameter...
CVE-2024-33329
A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information...
LumisXP 16.1.x Cross Site Scripting
===== Tempest Security Intelligence - ADV-6/2024 ========================== LumisXP v15.0.x to v16.1.x Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil ===== Table of Contents================================================== Overview Detailed description Timeli...
LumisXP 16.1.x Cross Site Scripting
===== Tempest Security Intelligence - ADV-6/2024 ========================== LumisXP v15.0.x to v16.1.x Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil ===== Table of Contents================================================== Overview Detailed description Timeli...
LumisXP 16.1.x Hardcoded Credentials / IDOR
===== Tempest Security Intelligence - ADV-6/2024 ========================== LumisXP v15.0.x to v16.1.x Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil ===== Table of Contents================================================== Overview Detailed description Timeli...
CVE-2024-33329
A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information...
CVE-2024-33327
A cross-site scripting XSS vulnerability in the component UrlAccessibilityEvaluation.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contentHtml parameter...
CVE-2024-33326
A cross-site scripting XSS vulnerability in the component XsltResultControllerHtml.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the lumPageID parameter...
CVE-2024-33328
A cross-site scripting XSS vulnerability in the component main.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the pageId parameter...
CVE-2024-33329
A hardcoded privileged ID within Lumisxp v15.0.x to v16.1.x allows attackers to bypass authentication and access internal pages and other sensitive information...
CVE-2024-33326
LumisXP/XuLumisxp vulnerability CVE-2024-33326 affects LumisXP versions 15.0.x through 16.1.x. The XSS is in the XsltResultControllerHtml.jsp component, exploitable via a crafted payload in the lumPageID parameter, allowing arbitrary JavaScript execution in the victim’s browser (impact: confident...
CVE-2024-33328
CVE-2024-33328: LumisXP/Lumisxp versions 15.0.x–16.1.x have a cross-site scripting (XSS) vulnerability in the main.jsp component. The issue allows injection of arbitrary web scripts/HTML via the pageId parameter, as described across multiple sources (Red Hat, NVD, CNVD, PacketStorm, CVE records)....
CVE-2024-33327
CVE-2024-33327 is an XSS vulnerability in Lumisxp/LumisXP with affected versions 15.0.x–16.1.x, exploitable via crafted payload in the contentHtml parameter of UrlAccessibilityEvaluation.jsp. This is documented across multiple sources (NVD, Red Hat, CNNVD, PacketStorm, CVE lists) with consistent ...
CVE-2024-33328
A cross-site scripting XSS vulnerability in the component main.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the pageId parameter...
CVE-2024-33327
A cross-site scripting XSS vulnerability in the component UrlAccessibilityEvaluation.jsp of Lumisxp v15.0.x to v16.1.x allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the contentHtml parameter...