Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS by sending a crafted payload to the /info endpoint via the lgslquery40 function. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious script into an...

JetBrains TeamCity Image Name Cross-Site Scripting Vulnerability

JetBrains TeamCity is a set of distributed build management and continuous integration tools from the Czech company JetBrains. The tool provides continuous unit testing, code quality analysis and build problem analysis reports and other features. A cross-site scripting vulnerability exists in...

Discourse cross-site scripting vulnerability (CNVD-2024-4963986)

Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filtering and escaping of...

Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Apache Tomcat

CVE-2024-50379 CVE-2024-50379 exploitation The CVE-2024-50...

CVE-2024-56314

A stored cross-site scripting XSS vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the...

CVE-2024-56312

A stored cross-site scripting XSS vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially...

Liferay Portal and Liferay DXP vulnerable to Cross-site Scripting

Reflected cross-site scripting XSS vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch nam...

CVE-2024-11993

CVE-2024-11993 is a reflected cross-site scripting (XSS) vulnerability affecting Liferay Portal 7.4.0–7.4.3.38 and Liferay DXP 7.4 GA through update 38, exploitable via the Dispatch name field. The connected documents consistently describe an XSS flaw resulting from improper handling of user inpu...

CVE-2024-11993

Reflected cross-site scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field...

CVE-2024-11993

Reflected cross-site scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via Dispatch name field...

CVE-2024-55864

Cross-site scripting vulnerability exists in My WP Customize Admin/Frontend versions prior to ver 1.24.1. If a malicious administrative user customizes the administrative page with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing...

CVE-2024-55864

Cross-site scripting vulnerability exists in My WP Customize Admin/Frontend versions prior to ver 1.24.1. If a malicious administrative user customizes the administrative page with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing...

CVE-2024-55864

CVE-2024-55864 is a Cross-Site Scripting vulnerability in My WP Customize Admin/Frontend. Affected versions are before 1.24.1 (WordPress plugin). The issue could allow an authenticated attacker to inject arbitrary JavaScript that runs in other users’ browsers (CVSS 3.0 base 4.8, MEDIUM). Red Hat/...

CVE-2024-12089

A stored Cross-site Scripting XSS vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session...

CVE-2024-12091

A stored Cross-site Scripting (XSS) vulnerability affects Dassault Systèmes ENOVIA Collaborative Industry Innovator (3DEXPERIENCE) versions R2022x through R2024x. The issue arises from unsanitized/stored input allowing an attacker to execute arbitrary script in a user’s browser session. Affected ...

Online Nurse Hiring System 安全漏洞

PHPGurukul Online Nurse Hiring System is an online nurse hiring system from PHPGurukul. A security vulnerability exists in Online Nurse Hiring System version v1.0. An attacker can exploit this vulnerability to execute arbitrary web script or HTML by injecting a specially crafted payload into the...

CVE-2024-37776

A cross-site scripting XSS vulnerability in Sunbird DCIM dcTrack v9.1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in some admin screens...

Dassault Systèmes ENOVIA Collaborative Industry Innovator 安全漏洞

Dassault Systèmes ENOVIA Collaborative Industry Innovator is an essential toolset for real-time, secure and structured collaboration and product content management for an engineering team at Dassault Systèmes France. A security vulnerability exists in Dassault Systèmes ENOVIA Collaborative Indust...

SUSE CVE-2024-52309

SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. One powerful feature of SFTPGo is the ability to have the EventManager execute scripts or run applications in response to certain events. This feature is very common in...

pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion

Summary pnpm seems to mishandle overrides and global cache: 1. Overrides from one workspace leak into npm metadata saved in global cache 2. npm metadata from global cache affects other workspaces 3. installs by default don't revalidate the data including on first lockfile generation This can make...