19 matches found
CVE-2025-6024 Cross-Site Scripting via Authentication Endpoint in Multiple WSO2 Products Allows Redirection to Malicious Websites
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious...
CVE-2025-6024
CVE-2025-6024 affects multiple WSO2 products, where the authentication endpoint fails to encode user-supplied input before rendering, enabling a Cross-Site Scripting (XSS) vector in the authentication flow. The vulnerability arises from improper input encoding at the end-user page, allowing an at...
PT-2026-33305
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious...
EUVD-2026-19390
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, Tandoor Recipes allows authenticated users to inject arbitrary tags into recipe step instructions. The bleach.clean sanitizer explicitly whitelists the tag, causing the backend to...
PT-2026-7638
A stored HTML injection vulnerability in the Recipe Notes rendering component in Mealie 3.3.1 allows remote authenticated users to inject arbitrary HTML, resulting in user interface redressing within the recipe view...
Moodle Cross-site Scripting (XSS) vulnerability
A flaw was found in Moodle. This Cross-site Scripting XSS vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface...
CVE-2025-67849
A flaw was found in Moodle. This cross-site scripting XSS vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface...
EUVD-2025-206737
A flaw was found in Moodle. This cross-site scripting XSS vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface...
CVE-2025-67849 Moodle: moodle: cross-site scripting (xss) via improper sanitization of ai prompt responses
A flaw was found in Moodle. This cross-site scripting XSS vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface...
CVE-2025-55287
Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Stored Cross-Site Scripting XSS vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user’s session, leading to session hijacking, data theft, and UI...
CVE-2025-55288
Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Reflected Cross-Site Scripting XSS vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user’s session, leading to session hijacking, data theft, and U...
CVE-2025-55287 Genealogy has a stored XSS vulnerability
Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Stored Cross-Site Scripting XSS vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user’s session, leading to session hijacking, data theft, and UI...
CVE-2025-55287 Genealogy has a stored XSS vulnerability
Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Stored Cross-Site Scripting XSS vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user’s session, leading to session hijacking, data theft, and UI...
PT-2025-33675 · Genealogy · Genealogy
Name of the Vulnerable Software and Affected Versions: Genealogy versions prior to 4.4.0 Description: Genealogy is a family tree PHP application susceptible to an authenticated reflected cross-site scripting XSS issue. An attacker with valid credentials can execute arbitrary JavaScript code withi...
PT-2025-33674 · Genealogy · Genealogy
Name of the Vulnerable Software and Affected Versions: Genealogy versions prior to 4.4.0 Description: Genealogy is a family tree PHP application susceptible to an authenticated stored cross-site scripting XSS issue. Attackers with valid credentials can execute arbitrary JavaScript code within...
CVE-2024-58129
In MISP before 2.4.193, menucustomrightlinkhtml parameters can be set via the UI i.e., without using the CLI and thus attackers with admin privileges can conduct XSS attacks against every page...
New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites
Threat hunters have disclosed a new "widespread timing-based vulnerability class" that leverages a double-click sequence to facilitate clickjacking attacks and account takeovers in almost all major websites. The technique has been codenamed DoubleClickjacking by security researcher Paulos Yibelo...
PT-2023-31945 · Gitlab · Gitlab
Name of the Vulnerable Software and Affected Versions: GitLab versions prior to 16.4.3 GitLab versions 16.5 through 16.5.3 GitLab versions 16.6 through 16.6.1 Description: An issue has been discovered in GitLab that allows a malicious actor to bypass prohibited branch checks using a specially...
KLA10736 Spoofing vulnerability in Microsoft Exchange Server
Improper web requests handling was found in Microsoft Exchange Server at Outlook Web Access. By exploiting this vulnerability malicious users can spoof user interface. This vulnerability can be exploited remotely via a specially designed email with malicious link. Original advisories CVE-2016-003...