795 matches found
CVE-2023-40122
In applyCustomDescription of SaveUi.java, there is a possible way to view other user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...
Cross site request forgery (csrf)
Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message...
CVE-2024-23319 CSRF issue allows disconnecting a user's Jira connection through a simple post message (Jira Plugin)
Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message...
CVE-2024-24570 Statamic account takeover via XSS and password reset link
Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel...
Information disclosure
This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An app may be able to view a user's phone number in system logs...
CVE-2024-0606
An attacker could execute unauthorized script on a legitimate site through UXSS using window.open by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS 122...
CVE-2024-0606
An attacker could execute unauthorized script on a legitimate site through UXSS using window.open by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. This vulnerability affects Focus for iOS 122...
Duplicate Advisory: Cross-site scripting vulnerability in TinyMCE plugins
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5h9g-x5rv-25wg. This link is maintained to preserve external references. Original Description TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated...
CVE-2024-21908
TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser...
CVE-2024-21910
Removed by vendor...
CVE-2023-51663 Hail authentication can be bypassed by changing email address
Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect OIDC email addresses from ID tokens to verify the validity of a user's domain, but because users have the ability to change...
Adobe Illustrator Resource Management Error Vulnerability (CNVD-2024-12467)
Adobe Illustrator is a set of vector-based image creation software from the American company Audobee Adobe. A security vulnerability exists in Adobe Illustrator that can be exploited by an attacker to cause arbitrary code to be executed in the current user's context...
CVE-2023-45774
In fixUpIncomingShortcutInfo of ShortcutService.java, there is a possible way to view another user's image due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
Cross site scripting
dpaste is an open source pastebin application written in Python using the Django framework. A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. This vulnerability can be exploited by an attacker to execute arbitrary...
Design/Logic Flaw
In Splunk Enterprise versions below 9.0.7 and 9.1.2, ineffective escaping in the “Show syntax Highlighted” feature can result in the execution of unauthorized code in a user’s web browser...
GHSA-HXJC-9J8V-V9PR Duplicate Advisory: CKEditor Cross-site Scripting vulnerability
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wh5w-82f3-wrxh. This link is maintained to preserve external references. Original Description A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An...
CVE-2023-4771
A Cross-Site scripting vulnerability has been found in CKSource CKEditor affecting versions 4.15.1 and earlier. An attacker could send malicious javascript code through the /ckeditor/samples/old/ajax.html file and retrieve an authorized user's information...
CVE-2023-5985
A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability exists that could cause compromise of a user’s browser when an attacker with admin privileges has modified system values...
CVE-2023-6098
An XSS vulnerability has been discovered in ICS Business Manager affecting version 7.06.0028.7066. A remote attacker could send a specially crafted string exploiting the obddact parameter, allowing the attacker to steal an authenticated user's session, and perform actions within the application...
Cross site scripting
An XSS vulnerability has been discovered in ICS Business Manager affecting version 7.06.0028.7066. A remote attacker could send a specially crafted string exploiting the obddact parameter, allowing the attacker to steal an authenticated user's session, and perform actions within the application...