369 matches found
CVE-2024-22213
Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the...
CVE-2024-0243
With the following crawler configuration: python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader url=url, maxdepth=2, extractor=lambda x: Soupx, "html.parser".text docs = loader.load An attacker in control of the contents of https://example.com could...
CVE-2023-20205
Multiple vulnerabilities in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager EPNM could allow an authenticated, remote attacker to conduct a stored cross-site scripting XSS attack against a user of the interface on an affected device...
CVE-2021-24619
The Per page add to head WordPress plugin through 1.4.4 does not properly sanitise one of its setting, allowing malicious HTML to be inserted by high privilege users even when the unfilteredhtml capability is disallowed, which could lead to Cross-Site Scripting issues...
CVE-2019-15614
Missing sanitization in the iOS App 2.24.4 causes an XSS when opening malicious HTML files...
CVE-2019-17324
ClipSoft REXPERT 1.0.0.527 and earlier version allows directory traversal by issuing a special HTTP POST request with ../ characters. This could lead to create malicious HTML file, because they can inject a content with crafted template. User interaction is required to exploit this vulnerability ...
CVE-2019-1010054
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery CSRF. The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access...
Information Exposure
Overview org.webjars.npm:electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Information Exposure via the Loader component. An attacker can leak sensitive cross-origin data by crafting...
Cross-site Scripting (XSS)
org.graylog2:graylog2-server is vulnerable to Cross-site Scripting XSS. The vulnerability is due to insecure input handling due to the ability to inject and submit malicious HTML forms via the Event Definition Remediation Step field, which can result in session cookie theft under specific...
Dust: Stored XSS in File Upload Leads to Privilege Escalation and Full Workspace Takeover
A stored cross-site scripting XSS vulnerability was discovered in the Dust platform's file upload functionality. An attacker could upload a malicious HTML file to a conversation. When another user, including an admin, visited the uploaded file, JavaScript was executed in their authenticated brows...
Phishing attacks leveraging HTML code inside SVG files
With each passing year, phishing attacks feature more and more elaborate techniques designed to trick users and evade security measures. Attackers employ deceptive URL redirection tactics, such as appending malicious website addresses to seemingly safe links, embed links in PDFs, and send HTML...
Cross-site Scripting (XSS)
Overview concrete5/concrete5 is a concrete5 open source CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS through the Save function. An attacker with page editing privileges can inject malicious HTML content by manipulating the content argument. Details Cross-site...
Geovision GV-ASManager 6.1.10 Cross Site Request Forgery
Geovision GV-ASManager versions 6.1.10 and below suffer from a cross site request forgery vulnerability. CVE-2024-56901 CVE-2024-56901 - A Cross-Site Request Forgery CSRF vulnerability in Geovision GV-ASManager web application with the version 6.1.1.0 or less that allows attackers to arbitrarily...
CVE-2024-8400
A stored cross-site scripting XSS vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability allows an attacker to upload a malicious HTML file containing JavaScript code, which is then executed when the file is accessed. This can lead to the execution of arbitrar...
CVE-2024-8400 Stored XSS in gaizhenbiao/chuanhuchatgpt
A stored cross-site scripting XSS vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability allows an attacker to upload a malicious HTML file containing JavaScript code, which is then executed when the file is accessed. This can lead to the execution of arbitrar...
CVE-2024-8400 Stored XSS in gaizhenbiao/chuanhuchatgpt
A stored cross-site scripting XSS vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability allows an attacker to upload a malicious HTML file containing JavaScript code, which is then executed when the file is accessed. This can lead to the execution of arbitrar...
CVE-2024-8400
CVE-2024-8400 is a stored cross-site scripting vulnerability in gaizhenbiao/chuanhuchatgpt. The issue stems from lack of proper filtering/escaping when a user uploads an HTML file that contains JavaScript, which is then executed when the file is accessed. This enables arbitrary JavaScript executi...
CVE-2024-8400 Stored XSS in gaizhenbiao/chuanhuchatgpt
A stored cross-site scripting XSS vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability allows an attacker to upload a malicious HTML file containing JavaScript code, which is then executed when the file is accessed. This can lead to the execution of arbitrar...
CVE-2024-7806
CVE-2024-7806 affects open-webui/open-webui ≤ 0.3.8. A CSRF flaw (lax SameSite cookies, no CSRF tokens) enables remote code execution by non-admin users when a victim visits a crafted page, potentially modifying a pipeline’s Python code and running arbitrary commands with the victim’s privileges....
CVE-2024-11441
CVE-2024-11441 affects Serge (open source web interface for chatting via llama.cpp) at version 0.9.0. The issue is a stored XSS caused by improper neutralization of input during web page generation in the chat prompt. An attacker can send a crafted message containing malicious HTML/JavaScript, wh...