Security Bulletin: Cross-site scripting vulnerability in IBM WebSphere Application Server (CVE-2016-0283)

Summary There is a cross-site scripting vulnerability in WebSphere Application Server Liberty when using the OpenID Connect OIDC client. Vulnerability Details CVEID: CVE-2016-0283 DESCRIPTION: IBM WebSphere Application Server is vulnerable to cross-site scripting in the OIDC client web applicatio...

Security Bulletin: IBM WebSphere Lombardi Edition and IBM Business Process Manager (BPM) cross-site scripting vulnerability in error situations (CVE-2014-0957)

Summary When you invoke a service using a URL, user input can be returned in unhandled service failure situations. Vulnerability Details CVE ID: CVE-2014-0957 DESCRIPTION: IBM WebSphere Lombardi Edition and IBM Business Process Manager are vulnerable to cross-site scripting that is caused by the...

Chrome Extension "5000 trillion yen converter" vulnerable to cross-site scripting

Overview Chrome Extension "5000 trillion yen converter" provided by Owen contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the extension Update the extension according to the information provided by the...

Chrome Extension "5000 trillion yen converter" Cross-Site Scripting Vulnerability

Google Chrome is an iOS-based web browser developed by Google USA. A cross-site scripting vulnerability exists in Chrome Extension "5000 trillion yen converter", which can be exploited by an attacker to execute arbitrary scripts on a user's web browser...

Cross site scripting

The Balbooa Gridbox extension version 2.4.0 and previous versions for Joomla! is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the...

CVE-2018-11690

The Balbooa Gridbox extension version 2.4.0 and previous versions for Joomla! is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the...

CVE-2018-11688

Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability via a crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site,...

CVE-2018-5175

A mechanism to bypass Content Security Policy CSP protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, a...

Design/Logic Flaw

If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. It will be executed if a user loads "chrome://browser/content/preferences/in-content/preferences.xul" directly in a tab and executes a search. This...

CVE-2018-5175

A mechanism to bypass Content Security Policy CSP protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, a...

CVE-2018-5133

CVE-2018-5133 affects Firefox before 59, where a malicious local program can set the app.support.baseURL preference to HTML/script, which is not sanitized and can execute when loading chrome://browser/content/preferences/in-content/preferences.xul or when an EME CDM-disabled notification is shown...

Netis-WF2419 HTML Injection Vulnerability

Netis-WF2419 is a router product. The Netis-WF2419 suffers from an HTML injection vulnerability that stems from a program not properly validating user-supplied input. An attacker could use this vulnerability to run HTML and script code in the context of an affected website to steal cookie-based...

Cross site scripting

A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters...

Mozilla Firefox Security Bypass Vulnerability (CNVD-2018-11922)

Mozilla Firefox is an open source web browser developed by the Mozilla Foundation in the United States. A security vulnerability exists in Mozilla Firefox versions prior to 60. A remote attacker could exploit the vulnerability to bypass content security policy protections used to restrict script...

Mozilla Firefox Design Vulnerability

Mozilla Firefox is an open source web browser developed by the Mozilla Foundation in the United States. A security vulnerability exists in the Live Bookmark page and PDF reader in versions of Mozilla Firefox prior to 60. A remote attacker can exploit this vulnerability by performing a social...

Design/Logic Flaw

Restify is a framework for building REST APIs. Restify =2.0.0 =4.0.4 using URL encoded script tags in a non-existent URL, an attacker can get script to run in some browsers...

CVE-2017-16018

Restify vulnerability CVE-2017-16018 affects the restify framework (versions 2.0.0 through 4.0.4). The issue is a Cross‑Site Scripting (XSS) vulnerability that occurs when URL encoded script tags are used in a non-existent URL, allowing an attacker to run script in some browsers. The practical im...

CVE-2018-11552

There is a reflected XSS vulnerability in AXON PBX 2.02 via the "AXON-Auto-Dialer-Agents-Name" field. The vulnerability exists due to insufficient filtration of user-supplied data. A remote attacker can execute arbitrary HTML and script code in a browser in the context of the vulnerable applicati...

Trihedral Engineering Limited VTScada ICSA-17-304-0 has multiple vulnerabilities

Trihedral VTScada formerly known as VTS is a SCADA system from Trihedral Engineering, Canada, based on a Windows platform with a Web interface option. Trihedral Engineering Limited VTScada has multiple vulnerabilities. An attacker could execute arbitrary script code in the affected application or...

Unspecified Cross-Site Scripting Vulnerability in SAP SAPUI5

SAP SAPUI5 is a UI technology that provides everything you need to build enterprise-class Web applications. SAP SAPUI5 suffers from an unspecified cross-site scripting vulnerability that stems from the program not properly validating user-supplied input. A remote attacker could use this...