Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-35739: PRTG Network Monitor - Version History

PRTG Network Monitor through 22.2.77.2204 does not prevent custom input for a device’s icon, which can be modified to insert arbitrary content into the style tag for that device. When the device page loads, the arbitrary Cascading Style Sheets (CSS) data is inserted into the style tag, loading malicious content. Due to PRTG Network Monitor preventing “characters, and from modern browsers disabling JavaScript support in style tags, this vulnerability could not be escalated into a Cross-Site Scripting vulnerability.

CVE
Open in Source
#sql#xss#csrf#vulnerability#web#ios#mac#windows#google#microsoft#amazon#linux#cisco#apache#redis#js#git#java#oracle#intel#c++#rce#perl#xpath#samba#pdf#vmware#aws#lenovo#oauth#auth#ssh#dell#postgres#docker#chrome#firefox#ssl
CVE-2022-34870

Apache Geode versions up to 1.15.0 are vulnerable to a Cross-Site Scripting (XSS) via data injection when using Pulse web application to view Region entries.

CVE-2022-3392

The WP Humans.txt WordPress plugin through 1.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-3391

The Retain Live Chat WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-38198: ArcGIS Server Security 2022 Update 1 Patch

There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

CVE-2022-3350

The Contact Bank WordPress plugin through 3.0.30 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-35132: Webmin

Usermin through 1.850 allows a remote authenticated user to execute OS commands via command injection in a filename for the GPG module.

CVE-2022-38200

A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser.

Cisco warns of ISE vulnerability with no fixed release or workaround

Categories: Exploits and vulnerabilities Categories: News Tags: Cisco Tags: Identity Services Engine Tags: AnyConnect VPN server Tags: CVE-2022-20822 Tags: CVE-2022-20959 Tags: CVE-2022-20933 Tags: input validation Cisco's latest security advisory includes a vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) that could allow an attacker to read and delete files. (Read more...) The post Cisco warns of ISE vulnerability with no fixed release or workaround appeared first on Malwarebytes Labs.

CVE-2022-36368: IPFire 2.27 - Core Update 170 released - The IPFire Blog

Multiple stored cross-site scripting vulnerabilities in the web user interface of IPFire versions prior to 2.27 allows a remote authenticated attacker with administrative privilege to inject an arbitrary script.