38 matches found
Design/Logic Flaw
This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for the BinaryFormatt...
Cross site scripting
openBaraza HCM 3.1.6 does not properly neutralize user-controllable input, which allows reflected cross-site scripting XSS on multiple pages: hr/subscription.jsp and hr/application.jsp and and hr/index.jsp with view= and data=...
CVE-2021-27658 exacqVision Enterprise Manager CSS
exacqVision Enterprise Manager 20.12 does not sufficiently validate, filter, escape, and/or encode user-controllable input before it is placed in output that is used as a web page that is served to other users...
CVE-2020-28502
An arbitrary code injection vulnerability was found in nodejs-xmlhttprequest. For this vulnerability to occur, the connection must be initialized during the function call XMLHttpRequest.open to send requests synchronously using the parameter async=False. If the subsequent calls to xhr.send...
Design/Logic Flaw
Philips Clinical Collaboration Platform, Versions 12.2.1 and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a webpage that is served to other users...
CVE-2020-16218
In Patient Information Center iX PICiX Versions B.02, C.02, C.03, the software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is then used as a webpage and served to other users. Successful exploitation could lead to unauthorized access t...
CVE-2020-14492
OpenClinic GA is affected by CVE-2020-14492 (XSS) in versions 5.09.02 and 5.89.05b. The root cause is improper neutralization of user-controllable input in web page generation, enabling execution of malicious code in the user’s browser. The ICS/CISA advisory confirms multiple vulnerabilities in t...
Cross site scripting
The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to reflected XSS in an HTTP POST parameter. The web application does not neutralize user-controllable input before displaying to users in a web page, which could allow a remote attacker authenticated with a user accou...
CVE-2019-9509 The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to reflected cross site scripting
The web interface of the Vertiv Avocent UMG-4000 version 4.2.1.19 is vulnerable to reflected XSS in an HTTP POST parameter. The web application does not neutralize user-controllable input before displaying to users in a web page, which could allow a remote attacker authenticated with a user accou...
CVE-2018-8846
Philips e-Alert Unit non-medical device, Version R2.1 and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is then served to other users...
CVE-2018-8846
Philips e-Alert Unit non-medical device, Version R2.1 and prior. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is then served to other users...
Custom Permalinks <= 1.1 - Cross-Site Scripting (XSS)
User controllable input in the admin page of Custom Permalinks gets output without any escaping. PoC URL/wp-admin/admin.php?page=custom-permalinks-post-permalinks=...
Spoofing
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app. The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information...
CVE-2017-0888
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app. The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information...
Cross site scripting
An issue was discovered in Adcon Telemetry A850 Telemetry Gateway Base Station. The Web Interface does not neutralize or incorrectly neutralizes user-controllable input before it is placed in the output; this could allow for cross-site scripting...
Content-Spoofing in "files" app (NC-SA-2017-006)
The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information...
Content-Spoofing in "dav" app - ownCloud
The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information. Affected Software ownCloud Server 9.1.2 CVE-2016-???? core/96b8afe48570bc70088ccd8f897e9d71997d336e ownCloud Server 9.0.6 CVE-2016-????...
Server: Content-Spoofing in "dav" app
The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...