Aruba ClearPass Policy Manager 跨站脚本漏洞

Aruba ClearPass Policy Manager is an application of Aruba, Inc. that provides a secure access management system for wireless networks. cross-site scripting is present in Aruba ClearPass Policy Manager versions 6.10.4 and earlier, 6.9.9 and earlier, and 6.8.9-HF2 and earlier. vulnerability. An...

PT-2022-15664 · Tibco · Tibco Jasperreports Server +5

Name of the Vulnerable Software and Affected Versions: TIBCO JasperReports Server versions 8.0.1 and below TIBCO JasperReports Server - Community Edition versions 8.0.1 and below TIBCO JasperReports Server - Developer Edition versions 8.0.0 and below TIBCO JasperReports Server for AWS Marketplace...

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

This blog post was authored by Hossein Jazi and Jérôme Segura Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information. Although all countries have reasons to be...

Cross-site Scripting (XSS)

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the managefiltereditpage.php. An attacker can inject arbitrary code by crafting a malicious project name. This is only exploitable if the attacker has access rights...

Cross-site Scripting (XSS)

Overview modx/revolution is a Content Management System. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the parseCustomData function in the update.class.php file. An attacker can execute arbitrary scripts in the context of a user's browser by injecting malicious...

GHSA-372Q-33VH-8MPC Inconsistent documentation in Apache Tomcat

As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a...

Jenkins Groovy Plugin sandbox bypass vulnerability

Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with...

Ubuntu 18.04 LTS / 20.04 LTS : Firefox vulnerabilities (USN-5411-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5411-1 advisory. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could...

python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through

There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can...

python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through

There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can...

python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through

There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can...

CVE-2022-27308

A stored cross-site scripting XSS vulnerability in PHProjekt PhpSimplyGest v1.3.0 allows attackers to execute arbitrary web scripts or HTML via a project title...

Debian DSA-5129-1 : firefox-esr - security update

The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5129 advisory. Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information...

CVE-2022-29911

An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present. This vulnerability affects Thunderbird 91.9, Firefox ESR 91.9, and Firefox 100...

UBUNTU-CVE-2022-29911

An improper implementation of the new iframe sandbox keyword allow-top-navigation-by-user-activation could lead to script execution without allow-scripts being present. This vulnerability affects Thunderbird 91.9, Firefox ESR 91.9, and Firefox 100...

CVE-2022-27330

CVE-2022-27330 describes a cross-site scripting (XSS) vulnerability in the E-Commerce Website v1.0, exploitable through a crafted payload injected into the Product Title field when using the admin URL /public/admin/index.php?add_product. The vulnerability allows execution of arbitrary web scripts...

Security Vulnerabilities fixed in Thunderbird 91.9 — Mozilla

When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A...

Authentication flaw

Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable...

Xtend 跨站脚本漏洞

Xtend is a general-purpose high-level programming language for the Eclipse Foundation's Java Virtual Machine. Xtend Voice Logger version 1.0 has a security vulnerability that stems from a cross-site scripting vulnerability in the error page. An attacker can use the vulnerability to execute...

ManageEngine ADSelfService Plus Custom Script Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ManageEngine ADSelfService Plus Custom Script Execution', 'Description' = %q This module exploits the "custom script" feature of ADSelfService...