GetPaid < 2.3.4 - Authenticated Stored XSS

In the plugin, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is...

ProjectWorlds College Management System 跨站脚本漏洞

Project Worlds Online Examination System is an online examination system. version 1.0 of ProjectWorlds College Management System is vulnerable to a cross-site scripting vulnerability that could be exploited to inject malicious JavaScript code to execute and steal user credentials...

Zoho ManageEngine ADSelfService Plus Cross-Site Scripting Vulnerability (CNVD-2021-37588)

ManageEngine ADSelfService Plus is a web-based self-service application that enables end-users to perform tasks such as password reset, account unlock, profile information update, etc. without relying on a help desk. A stored cross-site scripting vulnerability exists in the...

Recorded Future: [https://app.recordedfuture.com] - Reflected XSS via username parameter

Steps To Reproduce: 1- Visit https://app.recordedfuture.com/live/login/?reset=x&username=xss%22%3E%3Cimg+src=x+onerror=alertdocument.domain%3E Impact An attacker could be able to Inject Malicious Javascript to compromise users...

Cross-site Scripting (XSS)

github.com/knadh/listmonk is vulnerable to cross-site scripting XSS. The library does not sanitize HTML strings before passing to toasts function, allowing a malicious user to inject and execute malicious javascript...

Code injection

There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages...

Cross-site Scripting (XSS)

forkcms/forkcms is vulnerable to cross-site scripting XSS. The getMovieId function in MediaItemAddMovie.php does not properly validate the invalid video ids, allowing a malicious user to inject and execute malicious javascript...

Cross-site Scripting (XSS)

forkcms/forkcms is vulnerable to cross-site scripting XSS attacks. The vulnerability exists due to the lack of sanitization in the mediaItem.title, allowing a malicious user to inject and execute malicious javascript...

Cross site scripting

Special characters of IGT search function in igt+ are not filtered in specific fields, which allow remote authenticated attackers can inject malicious JavaScript and carry out DOM-based XSS Cross-site scripting attacks...

GHSA-GMCH-CM2P-9QW9 Cross-site Scripting in lightning-server

This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller...

Cross-site Scripting in lightning-server

This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller...

Cross-site Request Forgery (CSRF)

forkcms is vulnerable to cross-site request forgery. An attacker is able to hijack the authentication of logged administrators by injecting malicious javascript via the frontend navigation...

CVE-2021-30172 Jun-He Technology Ltd. Quan-Fang-Wei-Tong-Xun system - Reflected XSS

Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS Cross-site scripting attacks, additionally access and manipulate customer’s...

CVE-2021-24293

In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call getcartitems via photocratiajax , after that the settingsshippingaddressname is able to inject malicious javascript...

Code injection

In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call getcartitems via photocratiajax , after that the settingsshippingaddressname is able to inject malicious javascript...

Cross-site scripting vulnerability in Vaadin flow

Vaadin flow is a software application. the Vaadin platform is a Java framework for building modern websites that look great, perform well and keep you and your users happy. A security vulnerability exists in vaadin:flow-server, which stems from a vulnerability that allows an attacker to execute...

vaadin-server 跨站脚本漏洞

Vaadin-server is a Vaadin open source application . A platform for rapid development of Web applications on the Java backend . A security vulnerability exists in vaadin-server versions 7.4.0 through 7.7.19, which can be exploited by an attacker to inject malicious JavaScript via an unspecified...

WordPress Photo Gallery 1.5.69 Cross Site Scripting

Researcher Name: ThuraMoeMyint Twitter: https://twitter.com/mgthuramoemyint Vendor Url: https://wordpress.org/plugins/photo-gallery/ "Photo Gallery by 10Web / Mobile-Friendly Image Gallery" photo-gallery Multiple RXSS The parameter bwgalbumbreadcrumb0 is able to inject malicious javascript code...

ManageEngine AssentExplorer < 6.8 Unauthenticated Stored XSS

A stored cross-site scripting XSS vulnerability exists in the XML processing logic of asset discovery. By sending a crafted HTTP POST request to /discoveryServlet/WsDiscoveryServlet, a remote, unauthenticated attacker can create an asset containing malicious JavaScript. When an administrator view...

ManageEngine ServiceDesk Plus < 11.2 Build 11200 Unauthenticated Stored XSS

A stored cross-site scripting XSS vulnerability exists in the XML processing logic of asset discovery. By sending a crafted HTTP POST request to /discoveryServlet/WsDiscoveryServlet, a remote, unauthenticated attacker can create an asset containing malicious JavaScript. When an administrator view...