Cross site scripting

Multiple stored XSS vulnerabilities in IrisNext Edition 9.5.16, which allows an authenticated or compromised user to inject malicious JavaScript in folder/file name within the application in order to grab other users’ sessions or execute malicious code in their browsers 1-click RCE...

ZOHO ManageEngine Applications Manager Cross-Site Scripting Vulnerability (CNVD-2021-78743)

ZOHO ManageEngine Applications Manager is an IT operations management solution from ZOHO, Inc. ZOHO ManageEngine Applications Manager is vulnerable to a cross-site scripting vulnerability that could be exploited to execute malicious JavaScript...

GetPaid < 2.3.4 - Authenticated Stored XSS

In the plugin, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is...

ProjectWorlds College Management System 跨站脚本漏洞

Project Worlds Online Examination System is an online examination system. version 1.0 of ProjectWorlds College Management System is vulnerable to a cross-site scripting vulnerability that could be exploited to inject malicious JavaScript code to execute and steal user credentials...

Zoho ManageEngine ADSelfService Plus Cross-Site Scripting Vulnerability (CNVD-2021-37588)

ManageEngine ADSelfService Plus is a web-based self-service application that enables end-users to perform tasks such as password reset, account unlock, profile information update, etc. without relying on a help desk. A stored cross-site scripting vulnerability exists in the...

Recorded Future: [https://app.recordedfuture.com] - Reflected XSS via username parameter

Steps To Reproduce: 1- Visit https://app.recordedfuture.com/live/login/?reset=x&username=xss%22%3E%3Cimg+src=x+onerror=alertdocument.domain%3E Impact An attacker could be able to Inject Malicious Javascript to compromise users...

Cross-site Scripting (XSS)

github.com/knadh/listmonk is vulnerable to cross-site scripting XSS. The library does not sanitize HTML strings before passing to toasts function, allowing a malicious user to inject and execute malicious javascript...

Code injection

There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages...

Cross-site Scripting (XSS)

forkcms/forkcms is vulnerable to cross-site scripting XSS. The getMovieId function in MediaItemAddMovie.php does not properly validate the invalid video ids, allowing a malicious user to inject and execute malicious javascript...

Cross-site Scripting (XSS)

forkcms/forkcms is vulnerable to cross-site scripting XSS attacks. The vulnerability exists due to the lack of sanitization in the mediaItem.title, allowing a malicious user to inject and execute malicious javascript...

Cross site scripting

Special characters of IGT search function in igt+ are not filtered in specific fields, which allow remote authenticated attackers can inject malicious JavaScript and carry out DOM-based XSS Cross-site scripting attacks...

GHSA-GMCH-CM2P-9QW9 Cross-site Scripting in lightning-server

This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller...

Cross-site Scripting in lightning-server

This affects all versions of package lightning-server. It is possible to inject malicious JavaScript code as part of a session controller...

Cross-site Request Forgery (CSRF)

forkcms is vulnerable to cross-site request forgery. An attacker is able to hijack the authentication of logged administrators by injecting malicious javascript via the frontend navigation...

CVE-2021-30172 Jun-He Technology Ltd. Quan-Fang-Wei-Tong-Xun system - Reflected XSS

Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS Cross-site scripting attacks, additionally access and manipulate customer’s...

CVE-2021-24293

In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call getcartitems via photocratiajax , after that the settingsshippingaddressname is able to inject malicious javascript...

Code injection

In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call getcartitems via photocratiajax , after that the settingsshippingaddressname is able to inject malicious javascript...

Cross-site scripting vulnerability in Vaadin flow

Vaadin flow is a software application. the Vaadin platform is a Java framework for building modern websites that look great, perform well and keep you and your users happy. A security vulnerability exists in vaadin:flow-server, which stems from a vulnerability that allows an attacker to execute...

vaadin-server 跨站脚本漏洞

Vaadin-server is a Vaadin open source application . A platform for rapid development of Web applications on the Java backend . A security vulnerability exists in vaadin-server versions 7.4.0 through 7.7.19, which can be exploited by an attacker to inject malicious JavaScript via an unspecified...

WordPress Photo Gallery 1.5.69 Cross Site Scripting

Researcher Name: ThuraMoeMyint Twitter: https://twitter.com/mgthuramoemyint Vendor Url: https://wordpress.org/plugins/photo-gallery/ "Photo Gallery by 10Web / Mobile-Friendly Image Gallery" photo-gallery Multiple RXSS The parameter bwgalbumbreadcrumb0 is able to inject malicious javascript code...