52 matches found
CVE-2023-30959
In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction...
PT-2023-23087 · Apollo · Apollo
Name of the Vulnerable Software and Affected Versions: Apollo affected versions not specified Description: The issue allows comments added by users in Apollo change requests to contain a javascript URI link. When rendered, this link can result in a cross-site scripting XSS attack that requires us...
GHSA-622W-995C-3C3H Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments
Impact A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user's browser when displaying the comment. Patches The vulnerability...
Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments
Impact A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user's browser when displaying the comment. Patches The vulnerability...
CVE-2023-29015 Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core prior to version 23.03. An attacker could create a specially crafted comment, resulting ...
CVE-2023-29015 Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core prior to version 23.03. An attacker could create a specially crafted comment, resulting ...
Intranda Goobi Viewer Core 跨站脚本漏洞
Intranda Goobi Viewer Core is a Web-based digital library system from Intranda, Germany. A cross-site scripting vulnerability exists in Intranda Goobi Viewer Core prior to version 23.03, which stems from a cross-site scripting XSS vulnerability in the user comments feature. The vulnerability can ...
Arbitrary Code Injection
publifycore is vulnerable to arbitrary code injection. The vulnerability exists in htmlpostprocess in feedback.rb because the application doesn't filter the user comments which allows an attacker to inject html codes in the database...
GitLab Enterprise Edition和GitLab Community Edition 资源管理错误漏洞
GitLab Enterprise Edition is a content management system, and GitLab Community Edition is a community edition of GitLab from GitLab, Inc. A resource management error vulnerability exists in GitLab Enterprise Edition and GitLab Community Edition, which arises from user-supplied input in user...
Improper Access Control in liangliangyy/djangoblog
Description "formvalid" function in comments/views.py file performs the task of saving user comments. However, this function doesn't check the status of article, so users can leave comments on draft article or public article with commentstatus is off. Proof of Concept - Step 1: Login as admin in...
Incorrect Notifications
wagtail is sending notifications incorrectly. All users who left a comment or reply somewhere on the site are getting the notifications for a new replies in comment threads replied or commented on pages by another user because it fails to restrict notifications for new replies to the participants...
Basecamp: Privilege Escalation leads to trash other users comment without having admin rights.
Privilege Escalation leads to trash other users comment without having admin rights...
Cross-site scripting in phpoffice/phpspreadsheet
This affects the package phpoffice/phpspreadsheet. The library is vulnerable to XSS when creating an html output from an excel file by adding a comment on any cell. The root cause of this issue is within the HTML writer where user comments are concatenated as part of link and this is returned as...
GHSA-PVGF-MRR4-CW7R Cross-Site Request Forgery in ForkCMS
Multiple cross-site request forgery CSRF vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to 1 approve the mass of the user's comments, 2 restoring a deleted user, 3 installing or running modules, 4 resetting the...
Automattic: Stored XSS on the "www.intensedebate.com/extras-widgets" url at "Recent comments by" module with malicious blog url
Summary: Hello team. I have found a place where filtration/encoding for special symbols used in blog/site url is not set which leads to Stored XSS on the user page who posted a comment on malicious blog/site. Platforms Affected: Affected page www.intensedebate.com/extras-widgets block "Recent...
CVE-2020-23960
Multiple cross-site request forgery CSRF vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to 1 approve the mass of the user's comments, 2 restoring a deleted user, 3 installing or running modules, 4 resetting the...
Cross site request forgery (csrf)
Multiple cross-site request forgery CSRF vulnerabilities in the Admin Console in Fork before 5.8.3 allows remote attackers to perform unauthorized actions as administrator to 1 approve the mass of the user's comments, 2 restoring a deleted user, 3 installing or running modules, 4 resetting the...
XSS Vulnerability in anyoucms Frontend User Messages
anyoucms is a website building system. An XSS vulnerability exists in anyoucms front-end user comments, which can be exploited by attackers to execute script code...
Buffer Overflow Vulnerability in Multiple Fuji Electric Products
Fuji Electric FRENIC Loader, etc. are inverters from Fuji Electric Japan. A stack buffer overflow vulnerability exists in multiple Fuji Electric products, which stems from the program failing to properly detect user-submitted comments. A remote attacker could exploit the vulnerability to execute...
Official Cardi B website plagued by spammers
We come bearing tidings of proper website maintenance and general housekeeping for singer Cardi B or rather, for her web development team. At first glance, it appeared as though her website had been hacked a few days ago. But a look under the hood told a different story. We were surprised to see...