Lucene search
K

278 matches found

NVD
NVD
added 2022/11/30 2:15 p.m.32 views

CVE-2022-38803

Zkteco BioTime 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF...

6.8CVSS0.00626EPSS
Exploits1References2
Prion
Prion
added 2022/11/30 2:15 p.m.24 views

Improper access control

Zkteco BioTime 8.5.3 Build:20200816.447 is vulnerable to Incorrect Access Control via Leave, overtime, Manual log. An authenticated employee can read local files by exploiting XSS into a pdf generator when exporting data as a PDF...

3.5CVSS6.1AI score0.00626EPSS
Exploits1References2Affected Software1
wpexploit
wpexploit
added 2022/10/31 12:0 a.m.192 views

Popup Maker < 1.16.11 - Contributor+ Stored Cross Site Scripting

The plugin does not sanitise and escape some of its Popup options, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks, which could be used against admins Create a New popup Insert pop-up name, title, and body text. Add a new trigger with defau...

5.5CVSS0.2AI score0.00622EPSS
Exploits2
Positive Technologies
Positive Technologies
added 2022/08/29 12:0 a.m.5 views

PT-2022-23133 · Kirby · Kirby

Name of the Vulnerable Software and Affected Versions: Kirby versions 3.5 through 3.5.8.0 Description: Cross-site scripting XSS allows execution of JavaScript code inside the Panel session of the same or other users. A harmful script can trigger requests to Kirby's API with the permissions of the...

5.9CVSS5.5AI score0.00694EPSS
Exploits0References9
wpexploit
wpexploit
added 2022/08/23 12:0 a.m.511 views

Scroll To Top < 1.4.1 - Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "Text" settings of the plugin...

4.8CVSS0.3AI score0.005EPSS
Exploits2
wpexploit
wpexploit
added 2022/07/18 12:0 a.m.168 views

mTouch Quiz <= 3.1.3 - Admin+ Stored Cross Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in any of the delimiter...

4.8CVSS0.5AI score0.00493EPSS
Exploits2
wpexploit
wpexploit
added 2022/07/05 12:0 a.m.124 views

Invitation Based Registrations <= 2.2.84 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfilteredhtml capability is disallowed for example in multisite setup Put the following payload in the "After Register Redire...

4.8CVSS0.3AI score0.00511EPSS
Exploits2
wpexploit
wpexploit
added 2022/05/16 12:0 a.m.128 views

Video Slider - Slider Carousel < 1.4.8 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitize or escape some of its video settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Create/edit a video from a slider and put the following payload in the Description: , then save/update the vide...

4.8CVSS4.9AI score0.00565EPSS
Exploits2
Huntr
Huntr
added 2022/05/14 6:25 a.m.22 views

xss using .xsig file

Description xss using .xsig file Proof of Concept 1. Save this file as test.xsig file and upload it to http://localhost/ListAttachedFile 2. now view this file in chrome browser and see xss is executed...

7.1AI score
Exploits0
wpexploit
wpexploit
added 2022/05/10 12:0 a.m.128 views

Quotes llama < 1.0.0 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape Quotes, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed. The attack could also be performed by tricking an admin to import a malicious CSV file Create/edit a quote and put t...

4.8CVSS0.4AI score0.0064EPSS
Exploits2
wpexploit
wpexploit
added 2022/05/03 12:0 a.m.117 views

Enable SVG < 1.4.0 - Author+ Stored Cross Site Scripting via SVG

The plugin does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads As an author or above, upload the below SVG file via the Media library: alert/XSS/; The XSS will be triggered when accessing the file directly, e...

5.4CVSS5.3AI score0.00571EPSS
Exploits2
wpexploit
wpexploit
added 2022/04/11 12:0 a.m.188 views

Adrotate < 5.8.23 - Admin+ XSS via Advert Name

The plugin does not sanitise and escape Advert Names which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Create/edit an Advert and put the following payload in the Name field: " The XSS will be triggered when accessi...

4.8CVSS1.4AI score0.00577EPSS
Exploits2
wpexploit
wpexploit
added 2022/04/11 12:0 a.m.133 views

Fast Flow < 1.2.11 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the page parameter before outputting back in an attribute in an admin dashboard, leading to a Reflected Cross-Site Scripting ' document.form1.submit;...

6.1CVSS0.4AI score0.00876EPSS
Exploits2
Packet Storm
Packet Storm
added 2022/03/21 12:0 a.m.217 views

ICT Protege GX/WX 2.08 Cross Site Scripting

ICT Protege GX/WX 2.08 Authenticated Stored XSS Vulnerability Vendor: Integrated Control Technology Ltd. Product web page: https://www.ict.co Affected version: GX: Ver: 2.08.1002 K1B3 Lib: 04.00.217 Int: 2.3.235.J013 OS: 2.0.20 WX: Ver: 4.00 284 H062 App: 02.08.766 Lib: 04.00.169 Int: 02.2.208...

7.4AI score
Exploits0
wpexploit
wpexploit
added 2022/02/14 12:0 a.m.104 views

YOP Poll < 6.3.5 - Author+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of the settings available to users with a role as low as author before outputting them, leading to a Stored Cross-Site Scripting issue As author, put the following payload in the Settings Integration Use Google reCaptcha Yes Site Key: v v 6.3.5 - "...

5.4CVSS5.3AI score0.00595EPSS
Exploits2
wpexploit
wpexploit
added 2022/02/09 12:0 a.m.117 views

E2Pdf < 1.16.45 - Admin+ Stored Cross-Site Scripting (XSS)

The plugin does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Refer to https://mikadmin.fr/tech/XSS-Stored-E2Pdf-798ef69b0e13c36acf5446358d57c965Dx90666bNvCw98.pdf...

4.8CVSS1.8AI score0.01262EPSS
Exploits2References1
wpexploit
wpexploit
added 2022/02/02 12:0 a.m.139 views

Custom Content Shortcode < 4.0.2 - Authenticated Stored Cross-Site Scripting

The plugin does not escape custom fields before outputting them, which could allow Contributor+ v Preferences Panels and enable the Custom Fields, such as testxss with a value of alert/XSS/ Then add the following shortcode to the post field testxss and view/preview it to trigger the XSS...

0.1AI score0.00595EPSS
Exploits2
Exploit DB
Exploit DB
added 2022/02/02 12:0 a.m.277 views

uBidAuction v2.0.1 - &#039;Multiple&#039; Cross Site Scripting (XSS)

Exploit Title: uBidAuction v2.0.1 - 'Multiple' Cross Site Scripting XSS Exploit Author: Vulnerability-Lab Date: 21/01/2022 Document Title: =============== uBidAuction v2.0.1 - Multiple XSS Web Vulnerabilities References Source: ====================...

7.4AI score
Exploits0
wpexploit
wpexploit
added 2022/01/12 12:0 a.m.49 views

Mitsol Social Post Feed <= 1.10 - Admin+ Stored Cross-Site Scripting

The plugin does not escape some of its settings before outputting them back in attributes, which could allow high privilege users such as admin to perform cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed Put the following payload in the Access Token User access...

0.5AI score
Exploits0References1
wpexploit
wpexploit
added 2022/01/03 12:0 a.m.513 views

NextScripts: Social Networks Auto-Poster < 4.3.24 - Unauthenticated Stored XSS

The plugin does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue curl -H 'x-tomato: alert/XSS/;' 'https://example.com/?nxs-cronrun=yes' The XSS will be triggered in the Log/History...

6.1CVSS1.2AI score0.01334EPSS
Exploits2References1
Rows per page
Query Builder