10Web Map Builder for Google Maps < 1.0.64 - Unauthenticated Stored XSS via Plugin Settings Change

The vulnerability in 10Web Map Builder exists in the plugin’s setup process. The plugin’s setup functions are called during admininit which, like Flexible Checkout Fields, is accessible to unauthenticated users. If an attacker injects malicious JavaScript into certain settings values, that code...

Engel & Völkers Technology GmbH: [go3-intern.engelvoelkers.com] - Reflected XSS in /dGPS3/default.jsp

Summary: The application fails to sanitize user input in https://go3-intern.engelvoelkers.com/dGPS3/default.jsp and reflect the input directly in the HTTP response, allowing the hacker to exploit the vulnerable parameter and have malicious content executed in the victim's browser. Description: A...

Stored Cross-site Scripting Vulnerability in Qibo CMS System

Qibo CMS system is a content management system under Guangzhou Qibo Network Technology Co. A stored cross-site scripting vulnerability exists in the Qibo CMS system. An attacker can insert malicious js code into a page to obtain user cookies and other information, leading to user hijacking...

CVE-2013-7324

Webkit-GTK 2.x any version with HTML5 audio/video support based on GStreamer allows remote attackers to trigger unexpectedly high sound volume via malicious javascript. NOTE: this WebKit-GTK behavior complies with existing W3C standards and existing practices for GNOME desktop integration...

Design/Logic Flaw

Webkit-GTK 2.x any version with HTML5 audio/video support based on GStreamer allows remote attackers to trigger unexpectedly high sound volume via malicious javascript. NOTE: this WebKit-GTK behavior complies with existing W3C standards and existing practices for GNOME desktop integration...

CVE-2013-7324

Webkit-GTK 2.x any version with HTML5 audio/video support based on GStreamer allows remote attackers to trigger unexpectedly high sound volume via malicious javascript. NOTE: this WebKit-GTK behavior complies with existing W3C standards and existing practices for GNOME desktop integration...

Arbitrary Code Execution

hmtlunit is vulnerable to arbitrary code execution. The application does not prevent Rhinos' access to Java resources such as Java methods. This allows an attacker to execute arbitrary Java code on the system using malicious Javascript code...

HtmlUnit vulenerable to arbitrary code execution

Overview HtmlUnit is a Java-based library which provides web browser functionality to Java programs, and it supports JavaScript evaluation with embedded Mozilla Rhino engine. Mozilla Rhino engine offers a feature to make Java objects available from JavaScript. HtmlUnit initializes Rhino engine...

Adive Framework 2.0.8 - Persistent Cross-Site Scripting

Exploit Title: Adive Framework 2.0.8 - Persistent Cross-Site Scripting Exploit Author: Sarthak Saini Dork: N/A Date: 2020-01-18 Vendor Link : https://www.adive.es/ Software Link: https://github.com/ferdinandmartin/adive-php7 Version: 2.0.8 Category: Webapps Tested on: windows64bit / mozila firefo...

CVE-2020-1766

Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: OTRS Community Edition 5.0.x version 5.0.39 and prior...

Input validation

Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: OTRS Community Edition 5.0.x version 5.0.39 and prior...

UBUNTU-CVE-2020-1766

Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: OTRS Community Edition 5.0.x version 5.0.39 and prior...

CVE-2020-1766

Due to improper handling of uploaded images it is possible in very unlikely and rare conditions to force the agents browser to execute malicious javascript from a special crafted SVG file rendered as inline jpg file. This issue affects: OTRS Community Edition 5.0.x version 5.0.39 and prior...

Wordpress Cross-Site Scripting Vulnerability (CNVD-2019-45160)

WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. Wordpress suffers from a cross-site scripting vulnerability. It allows an attacker to insert malicious js code into a page to...

Website, Know Thyself: What Code Are You Serving?

When we think of “securing our website” from attackers, we often think of securing against hooded figures somewhere in Eastern Europe working out of a smoky office above an illegal gambling den. Not only is that probably geographically insensitive, it’s also not necessarily the best way threat to...

Adrenalin Core HCM 5.4.0 - &#039;strAction&#039; Reflected Cross-Site Scripting

Exploit Title: Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting Google Dork: NA Date: 2018-09-06 Exploit Author: Rishu Ranjan Cy83rl0gger Vendor Homepage: https://www.myadrenalin.com/ Software Link: https://www.myadrenalin.com/core-hcm/ Version: 5.4.0 REQUIRED Tested on: NA C...

Adrenalin Core HCM 5.4.0 - &#039;prntDDLCntrlName&#039; Reflected Cross-Site Scripting

Exploit Title: Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting Google Dork: NA Date: 2018-09-06 Exploit Author: Rishu Ranjan Cy83rl0gger Vendor Homepage: https://www.myadrenalin.com/ Software Link: https://www.myadrenalin.com/core-hcm/ Version: 5.4.0 REQUIRED Tested o...

CVE-2019-8128

A stored cross-site scripting XSS vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website...

Cross site scripting

A stored cross-site scripting XSS vulnerability exists in in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with access to the wysiwyg editor can abuse the blockDirective function and inject malicious javascript ...

CVE-2019-8128

A stored cross-site scripting XSS vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user can exploit it by injecting malicious Javascript into the name of main website...