MAL-2025-61 Malicious code in express-v4 (npm)

This package runs commands in a pre-install script that exfils sensitive data to a attacker-controlled domain. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 67ebd6ae141b2ad735a5d06a361820acbdba7b725729e8fa795cf1be86282e30 Any computer that has this package install...

LightPicture 代码注入漏洞

LightPicture is an enterprise/team/personal image resource management system, picture bed system. LightPicture cross-site scripting vulnerability , the vulnerability stems from the file/api/upload parameter file on the user-supplied data lack of effective filtering and escaping , an attacker can...

CVE-2024-56321

GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 inclusive can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. I...

CVE-2024-56321

CVE-2024-56321 (GoCD) affects GoCD 18.9.0–24.4.0. The issue allows admins to abuse the backup configuration “post-backup script” to run arbitrary scripts on the hosting server/container as the GoCD user. In practice, impact is limited since an admin typically has host permissions, but in restrict...

CVE-2024-56321 GoCD can allow malicious GoCD admins to abuse backup configuration to gain additional host access

GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 inclusive can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. I...

CVE-2024-56321 GoCD can allow malicious GoCD admins to abuse backup configuration to gain additional host access

GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 inclusive can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. I...

GoCD 安全漏洞

GoCD is a continuous delivery server from GoCD Open Source. A security vulnerability exists in GoCD versions 18.9.0 through 24.4.0, which stems from a vulnerability that allows misuse of the backup configuration feature, which could potentially allow execution of arbitrary scripts on managed...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS by sending a crafted payload to the /info endpoint via the lgslquery40 function. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious script into an...

JetBrains TeamCity Image Name Cross-Site Scripting Vulnerability

JetBrains TeamCity is a set of distributed build management and continuous integration tools from the Czech company JetBrains. The tool provides continuous unit testing, code quality analysis and build problem analysis reports and other features. A cross-site scripting vulnerability exists in...

Discourse cross-site scripting vulnerability (CNVD-2024-4963986)

Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filtering and escaping of...

Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Tomcat

CVE-2024-50379 CVE-2024-50379 exploitation The CVE-2024-50...

CVE-2024-56314

A stored cross-site scripting XSS vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the...

CVE-2024-56312

A stored cross-site scripting XSS vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially...

Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting

Reflected cross-site scripting XSS vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch nam...

CVE-2024-11993

CVE-2024-11993 is a reflected cross-site scripting (XSS) vulnerability affecting Liferay Portal 7.4.0–7.4.3.38 and Liferay DXP 7.4 GA through update 38, exploitable via the Dispatch name field. The connected documents consistently describe an XSS flaw resulting from improper handling of user inpu...

CVE-2024-11993

Reflected cross-site scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field...

CVE-2024-11993

Reflected cross-site scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field...

CVE-2024-55864

Cross-site scripting vulnerability exists in My WP Customize Admin/Frontend versions prior to ver 1.24.1. If a malicious administrative user customizes the administrative page with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing...

CVE-2024-55864

CVE-2024-55864 is a Cross-Site Scripting vulnerability in My WP Customize Admin/Frontend. Affected versions are before 1.24.1 (WordPress plugin). The issue could allow an authenticated attacker to inject arbitrary JavaScript that runs in other users’ browsers (CVSS 3.0 base 4.8, MEDIUM). Red Hat/...

CVE-2024-55864

Cross-site scripting vulnerability exists in My WP Customize Admin/Frontend versions prior to ver 1.24.1. If a malicious administrative user customizes the administrative page with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing...