CVE-2025-9913 Cross Site Scripting: Session Hijacking

JavaScript can be ran inside the address bar via the dashboard "Open in new Tab" Button, making the application vulnerable to session hijacking...

CVE-2025-9913

JavaScript can be ran inside the address bar via the dashboard "Open in new Tab" Button, making the application vulnerable to session hijacking...

PT-2025-40856

Name of the Vulnerable Software and Affected Versions Dashboard affected versions not specified Description The application is susceptible to session hijacking due to the execution of JavaScript code within the address bar. This is possible through the dashboard's "Open in new Tab" button. This...

PT-2022-16845 · Sylius · Sylius

Name of the Vulnerable Software and Affected Versions: Sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 Description: The issue allows any other user to view the data if the browser tab remains open after logging out. This can lead to a data leak, such as customer details or payment gateway...

Open redirect

If a URL using the "file:" protocol is dragged and dropped onto an open tab that is running in a different child process the tab will open a local file corresponding to the dropped URL, contrary to policy. One way to make the target tab open more reliably in a separate process is to open it with...

CVE-2018-5181

If a URL using the "file:" protocol is dragged and dropped onto an open tab that is running in a different child process the tab will open a local file corresponding to the dropped URL, contrary to policy. One way to make the target tab open more reliably in a separate process is to open it with...

Calls to Action WordPress Plugin Reflective Cross-Site Scripting Vulnerability

Calls to Action is a plugin for calling events on WordPress sites. Calls to Action 2.4.3 and earlier versions do not effectively filter the "open-tab" HTTP GET parameter value and the "wp-cta-variation-id" HTTP GET parameter value, which allows an unauthenticated, remote attacker to trick...