PT-2023-27085 · Unknown · Free/Open Source Inventory Management System

Name of the Vulnerable Software and Affected Versions: Free and Open Source Inventory Management System version 1.0 Description: The issue allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name, Address, and Company parameters under the "Add New...

General Solutions Steiner GmbH CASE 3 Taskmanagement Cross-Site Scripting Vulnerability

General Solutions Steiner CASE 3 Taskmanagement is an application from General Solutions Steiner Austria. A security vulnerability exists in General Solutions Steiner GmbH CASE 3 Taskmanagement version V3.3. An attacker can exploit this vulnerability to execute arbitrary web script or HTML via a...

General Solutions Steiner GmbH CASE 3 Taskmanagement Cross-Site Scripting Vulnerability

General Solutions Steiner CASE 3 Taskmanagement is an application from General Solutions Steiner Austria. A security vulnerability exists in General Solutions Steiner GmbH CASE 3 Taskmanagement version V3.3. An attacker can exploit this vulnerability to execute arbitrary web script or HTML via a...

JVN#60140221: Multiple vulnerabilities in i-PRO VI Web Client

VI Web Client provided by i-PRO Co., Ltd. is Video Insight’s video management software. VI Web Client contains multiple vulnerabilities listed below. Open Redirect CWE-601 - CVE-2023-38574 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N| Base Score: 4.7...

CVE-2023-39578

A stored cross-site scripting XSS vulnerability in the Create function of Zenario CMS v9.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Menu navigation text field...

Tenda AC23 输入验证错误漏洞

Tenda AC23 is a home dual-band wireless router launched by Tenda, focusing on large home coverage and high-speed transmission, supporting 802.11acWave2 technology, dual-band concurrent rate up to 2033Mbps. The Tenda AC23 suffers from a stack buffer overflow vulnerability that stems from the...

CVE-2023-39543

Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.3M MySQL version and LuxCal Web Calendar prior to 5.2.3L SQLite version allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product...

LuxSoft LuxCal Web Calendar 跨站脚本漏洞

LuxSoft LuxCal Web Calendar is a free user-friendly lightweight web-based event calendar from LuxSoft Switzerland. A security vulnerability exists in LuxSoft LuxCal Web Calendar that stems from the presence of a cross-site scripting XSS vulnerability. An attacker can exploit the vulnerability to...

Jenkins plugins Multiple Vulnerabilities (2023-08-16)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - High Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request...

CVE-2023-37914 Privilege escalation (PR)/RCE from account through Invitation subject/message

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view Invitation.WebHome can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to...

CVE-2023-32748

The Linux DVS server component of Mitel MiVoice Connect through 19.3 SP2 22.24.1500.0 could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control...

PT-2023-7523 · Aleos · Aleos

Name of the Vulnerable Software and Affected Versions: ALEOS versions 4.16 and earlier Description: The issue is related to the ACEManager component of the ALEOS operating system, which does not validate uploaded file names and types. This could potentially allow an authenticated user to perform...

CVE-2023-37625

CVE-2023-37625 describes a stored cross-site scripting (XSS) vulnerability in NetBox v3.4.7, exploitable via a crafted payload injected into the Custom Link templates. The available sources (NVD/OSV, etc.) consistently identify the affected software as NetBox 3.4.7 and the vulnerability as stored...

CVE-2023-3978

A flaw was found in the Golang HTML package where it is vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's web browser within the security...

Cisco BroadWorks CommPilot Cross-Site Scripting Vulnerability

Cisco BroadWorks CommPilot is a carrier-grade unified communications software platform optimized for performance and scale from Cisco, U.S.A. BroadWorks is hosted by service providers and enables the deployment of cloud calls from a common network platform on any type of wired or wireless network...

CVE-2023-26449

The "OX Chat" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker...

CVE-2023-26450

The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker...

CVE-2023-26446

The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker woul...

CVE-2023-26445

Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and...

CVE-2023-26447

The "upsell" widget for the portal allows to specify a product description. This description taken from a user-controllable jslob did not get escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering...