12 matches found
CVE-2022-33009
A stored cross-site scripting XSS vulnerability in LightCMS v1.3.11 allows attackers to execute arbitrary web scripts or HTML via uploading a crafted PDF file...
CVE-2024-55199
A Stored Cross Site Scripting XSS vulnerability in Celk Sistemas Celk Saude v.3.1.252.1 allows a remote attacker to store JavaScript code inside a PDF file through the file upload feature. When the file is rendered, the injected code is executed on the user's browser...
CVE-2024-55199
A Stored Cross Site Scripting XSS vulnerability in Celk Sistemas Celk Saude v.3.1.252.1 allows a remote attacker to store JavaScript code inside a PDF file through the file upload feature. When the file is rendered, the injected code is executed on the user's browser...
CVE-2024-55199
CVE-2024-55199 describes a Stored XSS in Celk Sistemas Celk Saude v3.1.252.1. The vulnerability allows an attacker to embed JavaScript inside a PDF uploaded via the file-upload feature; when the PDF is rendered, the script executes in the user’s browser. Affected product/version: Celk Saude v3.1....
XSS by uploading pdf file
This report is not public...
PT-2024-31856 · Zenario · Zenario
Name of the Vulnerable Software and Affected Versions: Zenario version 9.7.61188 Description: The issue allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting XSS...
GHSA-4M3G-6R7G-JV4F Arbitrary JavaScript execution due to using outdated libraries
Summary gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution. PoC 1. Generate a pdf file with a malicious script in the fontmatrix. This will run alert‘XSS’. poc.pdf 2. Run the app. In this PoC, I've used the demo...
CVE-2024-34909
KYKMS is affected by an arbitrary file upload vulnerability (KYKMS v1.0.1 and below) that enables an attacker to execute arbitrary code by uploading a crafted PDF. Root cause: improper handling of uploaded files leading to code execution. Public disclosures across multiple sources confirm the vul...
CVE-2024-27705
Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted PDF file to the files/browse endpoint...
CVE-2024-27705
Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted PDF file to the files/browse endpoint...
Privilege escalation
BigTree CMS 4.4.16 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PDF file...
MediaWiki thumb.php 'w' Parameter Remote Shell Command Injection
The version of MediaWiki running on the remote host is affected by a remote command injection vulnerability due to a failure to properly sanitize user-supplied input to the 'w' parameter in the 'thumb.php' script. A remote, unauthenticated attacker can exploit this issue to execute arbitrary...