Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-0357: GitHub - helpyio/helpy: Helpy is a modern, open source helpdesk customer support application. Features include knowledgebase, community discussions and support tickets integrated with email.

Helpy version 2.8.0 allows an unauthenticated remote attacker to exploit an XSS stored in the application. This is possible because the application does not correctly validate the attachments sent by customers in the ticket.

CVE
Open in Source
#xss#vulnerability#web#google#ubuntu#linux#js#git#java#aws#oauth#auth#ruby#postgres#docker#ssl
CVE-2023-0835: markdown-pdf 11.0.0 - Local File Read via Server Side XSS | Advisories | Fluid Attacks

markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user.

CVE-2023-0325: Uvdesk 1.1.1 - Stored Cross-Site Scripting | Advisories | Fluid Attacks

Uvdesk version 1.1.1 allows an unauthenticated remote attacker to exploit a stored XSS in the application. This is possible because the application does not correctly validate the message sent by the clients in the ticket.

CVE-2023-1840: Sp*tify Play Button for WordPress <= 2.07 - Authenticated (Administrator+) Stored Cross-Site Scripting — Wordfence Intelligence

The Sp*tify Play Button for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.07 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVE-2023-27089: ehuacui-bbs storage XSS · Issue #3 · ehuacui/ehuacui-bbs

Cross Site Scripting vulnerability found in Ehuacui BBS allows attackers to cause a denial of service via a crafted payload in the login parameter.

GHSA-f7rp-xx67-4pj9: Phachon mm-wiki vulnerable to stored cross-site scripting (XSS)

Phachon mm-wiki v.0.1.2 vulnerable to stored cross-site scripting (XSS). This could allow a remote attacker to execute arbitrary code via JavaScript code in the markdown editor. Any user browsing the document containing XSS malicious code will trigger the vulnerability.

GHSA-5p84-mmh9-pxgr: Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter

Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the `editor` parameter.

GHSA-w974-rq9x-mh3v: Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter

Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the `<iframe> src` parameter.

GHSA-4f25-2x2c-vg6v: pimcore is vulnerable to cross-site scripting in Composite indices key field

### Impact Pimcore is vulnerable to Cross site scripting vulnerability in classes module. ### Patches Update to version 10.5.20. ### Workarounds Apply the patch https://github.com/pimcore/pimcore/commit/765832f0dc5f6cfb296a82e089b701066f27bcef.patch manually.

CVE-2021-28235: etcd-3.4.10-test/temp4cj.png at master · lucyxss/etcd-3.4.10-test

Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function.