Security
Headlines
HeadlinesLatestCVEs

Tag

#java

CVE-2023-30321: ChatEngine/src/chatbotapp/LoginServlet.java at fded8e710ad59f816867ad47d7fc4862f6502f3e · wliang6/ChatEngine

Cross Site Scripting (XSS) vulnerability in textMessage field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.

CVE
Open in Source
#sql#xss#vulnerability#web#apache#js#java#auth
CVE-2023-30319: Cross Site Scripting (XSS) in username field in ChatEngine 1.0 - Payatu

Cross Site Scripting (XSS) vulnerability in username field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.

GHSA-gm68-572p-q28r: @vendure/admin-ui-plugin authenticated Cross-site Scripting vulnerability

### Impact Vendure provides an authorization system with different levels of privileges. For example, an administrator cannot create another administrator. In the admin UI, there are a couple of places with description inputs, such as inventory/collection catalog, shipping methods, promotions, and more. While the WYSIWYG editor allows limited customization, altering the request data (not in the ui) saves and returns arbitrary HTML with no sanitization. Causing an XSS when viewing the page. The impact of this XSS is privilege escalation. A user that can write any type of description can trigger the attack. Then any other user that visits the vulnerable page is prone to arbitrary Javascript code execution, giving the attacker ability to execute actions on behalf of this user. ### Patches in progress ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References _Are there any links users can visit to find out more?_

CVE-2023-24497: TALOS-2023-1704 || Cisco Talos Intelligence Group

Cross-site scripting (xss) vulnerabilities exist in the requestHandlers.js detail_device functionality of Milesight VPN v2.0.2. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger these vulnerabilities.This XSS is exploited through the remote_subnet field of the database

CVE-2023-30325: ChatEngine/src/chatbotapp/chatWindow.java at fded8e710ad59f816867ad47d7fc4862f6502f3e · wliang6/ChatEngine

SQL Injection vulnerability in textMessage parameter in /src/chatbotapp/chatWindow.java in wliang6 ChatEngine v.1.0, allows attackers to gain sensitive information.

CVE-2023-30323: ChatEngine/src/chatbotapp/chatWindow.java at fded8e710ad59f816867ad47d7fc4862f6502f3e · wliang6/ChatEngine

SQL Injection vulnerability in username field in /src/chatbotapp/chatWindow.java in Payatu ChatEngine v.1.0, allows attackers to gain sensitive information.

CVE-2023-30322: Cross Site Scripting (XSS) in username field in chatWindow functionality in ChatEngine 1.0 - Payatu

Cross Site Scripting (XSS) vulnerability in username field in /src/chatbotapp/chatWindow.java in Payatu ChatEngine v.1.0, allows attackers to execute arbitrary code.

CVE-2023-37134: EyouCMS V1.6.3 "Basic Information" module has a storage cross-site vulnerability · Issue #47 · weng-xianhu/eyoucms

A stored cross-site scripting (XSS) vulnerability in the Basic Information module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2023-37132: Stored XSS exists in version 1.6.3, which can lead to stealing sensitive information of logged-in users · Issue #45 · weng-xianhu/eyoucms

A stored cross-site scripting (XSS) vulnerability in the custom variables module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2023-37136: EyouCMS V1.6.3 "Basic Website Information" module has cross-site storage vulnerability · Issue #49 · weng-xianhu/eyoucms

A stored cross-site scripting (XSS) vulnerability in the Basic Website Information module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.