Reflected XSS via "stuffid" parameter

Description The value for the stuffid parameter is reflected in the web context without proper filtering in place resulting in possibility to execute malicious javascript code. Testing Environment 1. Windows OS 2. Firefox Browser Proof of Concept 1. Visit...

Cross-site Scripting (XSS)

forkcms/forkcms is vulnerable to cross-site scripting attacks. The vulnerability exists because the SpoonLibrary does not properly handle uppercase characters, which allows remote authenticated attackers to inject and execute malicious javascript via the publishontime Parameter...

Esri Portal For ArcGis 跨站脚本漏洞

Esri Portal For ArcGis is a component of Esri, Inc. that allows maps, scenes, applications, and other geographic information to be shared with others within an organization. A security vulnerability exists in Esri Portal For ArcGis, which stems from stored cross-site scripting XSS in configurable...

Renato 跨站脚本漏洞

Renato is an open source knowledge base platform that uses static Markdown files to power your knowledge base. A security vulnerability exists in Renato version v0.17.0, which originates from an attacker with local access rights can upload a markdown file with malicious JavaScript that can be...

Cross-Site Scripting (XSS)

github.com/velocidex/velociraptor is vulnerable to cross-site scripting. The vulnerability exists in the Completer function in syntax.js due to improper sanitization in the description field which allows an attacker to inject and execute malicious javascript...

Cross-site Scripting (XSS)

firefox is vulnerable to cross-site scripting attacks. Directory indexes for bundled resources are reflected in URL parameters, allowing an attacker to inject and execute malicious javascript...

Cross-site Scripting (XSS)

libxml2.so is vulnerable to cross-site scripting. The vulnerability exists in the htmlAttrDumpOutput function in HTMLtree.c due to a lack of sanitization in the escaped variable which allows an attacker to inject and execute malicious javascript...

PT-2022-23962 · Foxit · Foxit Pdf Reader

Name of the Vulnerable Software and Affected Versions: Foxit PDF Reader version 11.2.1.53537 Description: This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the target must visit a malicious page or open a malicious file. Th...

Cross-site Scripting (XSS)

joplin is vulnerable to cross-site scripting. The vulnerability exists because the surroundKeywords function of string-utils.js does not properly escape the malicious html codes in valueRegex and value parameters, allowing an attacker to inject and execute malicious javascript...

Cross-site Scripting (XSS)

moodle/moodle is vulnerable to cross-site scripting. The vulnerability exists in userreporttracks.php due to the lack of sanitization in user-supplied data, allowing an attacker to inject and execute malicious javascript or cause blind ssrf attacks...

Security Experts Warn of Two Primary Client-Side Risks Associated with Data Exfiltration and Loss — The Hacker News

Two client-side risks dominate the problems with data loss and data exfiltration: improperly placed trackers on websites and web applications and malicious client-side code pulled from third-party repositories like NPM. Client-side security researchers are finding that improperly placed trackers,...

Cross-site Scripting (XSS)

jquery-ui is vulnerable to cross-site scripting attacks. The vulnerability exists in the widget function in checkboxradio.js due to a lack of input sanitization which allows a malicious attacker to inject and execute malicious javascript...

Cross-site Scripting (XSS)

ameos/ameostarteaucitron is vulnerable to cross-site scriptingXSS attacks. The library does not properly encode the user input in displayParticipantsFormAction function, allowing an attacker to inject and execute malicious javascript on the target system...

Avoiding Death by a Thousand Scripts: Using Automated Content Security Policies

Businesses know they need to secure their client-side scripts. Content security policies CSPs are a great way to do that. But CSPs are cumbersome. One mistake and you have a potentially significant client-side security gap. Finding those gaps means long and tedious hours or days in manual code...

Cross-site Scripting (XSS)

jetspeed-portal is vulnerable to cross-site scripting. The vulnerability exists because the library does not properly filter the untrusted user inputs by default, allowing an attacker to inject and execute malicious javascript...

Cross-site Scripting (XSS)

silverstripe/assets is vulnerable to cross-site scriptingXSS attacks. A remote attacker is able to inject and execute malicious javascript via the args parameter in regenerateshortcode function...

BigBlueButton Cross-Site Scripting Vulnerability (CNVD-2022-58952)

BigBlueButton is an open source Web conferencing system from the BigBlueButton community.A cross-site scripting vulnerability exists in versions prior to BigBlueButton 2.4.8 and prior to 2.5.0, which stems from users in private chat-enabled meetings being vulnerable to malicious JavaScript attack...

Design/Logic Flaw

BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker whose username contains malicious JavaScript, the script gets...

CVE-2022-31065 Cross site scripting vulnerability for private chat in bigbluebutton

BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker whose username contains malicious JavaScript, the script gets...

CVE-2022-31065 Cross site scripting vulnerability for private chat in bigbluebutton

BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker whose username contains malicious JavaScript, the script gets...