CVE-2025-22272 Self Reflected XSS in CyberArk Endpoint Privilege Manager

In the "/EPMUI/ModalDlgHandler.ashx?value=showReadonlyDlg" endpoint, it is possible to inject code in the "modalDlgMsgInternal" parameter via POST, which is then executed in the browser. The risk of exploiting vulnerability is reduced due to the required additional bypassing the...

CVE-2025-22272

CVE-2025-22272 affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. In the /EPMUI/ModalDlgHandler.ashx?value=showReadonlyDlg endpoint, the POST parameter modalDlgMsgInternal can be used to inject code that is executed in the browser; exploitation risk is mitigated by the need to by...

CVE-2023-34452 Grav vulnerable to Self Cross Site Scripting in /forgot_password

Grav is a flat-file content management system. In versions 1.7.42 and prior, the "/forgotpassword" page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the "email" parameter of the request. While this vulnerability can potentially allow an...

Directories Pro < 1.3.46 - Authenticated Self-Reflected Cross-Site Scripting

The plugin did not sanitise the column names when importing a malicious CSV file, allowing for HTML or JavaScript injection. Iimport a CSV file containing the following in the header: 'term" autofocus onfocus=alert'Complex\u0020XSS';alertdocument.cookie;//'"...