CVE-2021-24445

The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfilteredhtml capability is disallowed, leading to an authenticated Stored Cross-Site Scripting...

CVE-2021-24481

The Any Hostname WordPress plugin through 1.0.6 does not sanitise or escape its "Allowed hosts" setting, leading to an authenticated stored XSS issue as high privilege users are able to set XSS payloads in it...

CVE-2021-23399

This affects all versions of package wincred. If attacker-controlled user input is given to the getCredential function, it is possible for an attacker to execute arbitrary commands. This is due to use of the childprocess exec function without input sanitization...

pki-core: Reflected XSS in getcookies?url= endpoint in CA

A Reflected Cross Site Scripting vulnerability was found in the pki-ca module from the pki-core server. This flaw is caused by missing sanitization of the GET URL parameters. An attacker could abuse this flaw to trick an authenticated user into clicking a specially crafted link which can execute...

Cross-site Scripting (XSS)

Overview spoon/library is a PHP5 library used to build web applications. Affected versions of this package are vulnerable to Cross-site Scripting XSS via getAttributesHTML in library/spoon/form/attributes.php due to lack of sanitization. In an affected application, an attacker could insert XSS...

DEBIAN-CVE-2020-8227

Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory...

CVE-2020-16279

The Kommbox component in Rangee GmbH RangeeOS 8.0.4 is vulnerable to Remote Code Execution due to untrusted user supplied input being passed to the command line without sanitization...

Directory Traversal

Overview marscode is a web editor created with monaco-editor, jquery file tree and nodejs file tree to read, write, edit, delete CRUD files. Affected versions of this package are vulnerable to Directory Traversal. There is no path sanitization in the path provided at fs.readFile in index.js. PoC ...

CVE-2019-7552

An issue was discovered in PHP Scripts Mall Investment MLM Software 2.0.2. Stored XSS was found in the the My Profile Section. This is due to lack of sanitization in the Edit Name section...

CVE-2018-16480

A XSS vulnerability was found in module public 0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering...

business-central: Multiple stored XSS in task and process filters

JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly...

UBUNTU-CVE-2009-4490

minihttpd 1.19 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator...

Cross site scripting

Cross-site scripting XSS vulnerability in Softcomplex PHP Event Calendar 1.5 allows remote authenticated users to inject arbitrary web script or HTML, and corrupt data, via the 1 username and 2 password parameters, which are not sanitized before being written to users.php. NOTE: while this issue...