Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-31508: Research/ReflectedXSS_1.7.7.4.md at main · mustgundogdu/Research

A cross-site scripting (XSS) vulnerability in PrestaShop v1.7.7.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the message parameter in /contactform/contactform.php.

CVE
Open in Source
#xss#vulnerability#web#php
CVE-2023-29791: kodbox xss - JunBlog

kodbox <= 1.37 is vulnerable to Cross Site Scripting (XSS) via the debug information.

GHSA-w766-3572-f2hv: Pimcore Cross-site Scripting (XSS) vulnerability in Admin Translations

### Impact Execute Javascript code on victim browsers and potentially steal cookies to takeover their account. ### Patches Update to version 10.5.21 or apply this patches manually https://github.com/pimcore/pimcore/commit/7e32cc28145274ddfc30fb791012d26c1278bd38.patch ### Workarounds Apply patches manually: https://github.com/pimcore/pimcore/commit/7e32cc28145274ddfc30fb791012d26c1278bd38.patch ### References https://huntr.dev/bounties/e1001870-b8d8-4921-8b9c-bbdfb1a1491e/

GHSA-6gf5-c898-7rxp: Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

### Impact HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. ### Patches This has been patched in XWiki 14.6 RC1. ### Workarounds There are no known workarounds apart from upgrading to a fixed version. ### References * https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 * https://jira.xwiki.org/browse/XRENDERING-663 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

GHSA-mhpj-7m7h-8p6x: Pimcore Cross-site Scripting (XSS) in Static Routes name field

### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.21 or apply this patch manually: https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091.patch ### Workarounds Apply patches manually: https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091.patch ### References https://huntr.dev/bounties/564cb512-2bcc-4458-8c20-88110ab45801/

CVE-2023-30394: GitHub - ros-planning/moveit: The MoveIt motion planning framework

Progress Ipswitch MoveIT 1.1.11 was discovered to contain a cross-site scripting (XSS) vulenrability via the API authentication function.

CVE-2023-30394: | The MoveIt® Companies

MoveIT v1.1.11 was discovered to contain a cross-site scripting (XSS) vulenrability via the API authentication function.

CVE-2023-29031: ArmorStart® ST 281E, 284EE Vulnerable to Multiple XSS Vulnerabilities

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVE-2023-25309: Rollout::UI 0.5 Cross Site Scripting ≈ Packet Storm

Cross Site Scripting (XSS) Vulnerability in Fetlife rollout-ui version 0.5, allows attackers to execute arbitrary code via a crafted url to the delete a feature functionality.

HouseKit 1.0 Cross Site Scripting

HouseKit version 1.0 suffers from a cross site scripting vulnerability.