Security
Headlines
HeadlinesLatestCVEs

Tag

#web

CVE-2023-42629: CVE-2023-42629 Stored XSS vulnerability with vocabulary description - Liferay

Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.

CVE
Open in Source
#xss#vulnerability#web
CVE-2023-44309: CVE-2023-44309 XSS with fragment components - Liferay

Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset.

CVE-2023-24385: WordPress Media Library Assistant plugin <= 3.11 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerability in David Lingren Media Library Assistant plugin <= 3.11 versions.

CVE-2023-42497: CVE-2023-42497 XSS with `redirect` in export translation - Liferay

Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.

CVE-2023-45386: [CVE-2023-45386] Improper neutralization of SQL parameter in MyPresta.eu - Product Extra Tabs Pro for PrestaShop

In the module extratabspro before version 2.2.8 from MyPresta.eu for PrestaShop, a guest can perform SQL injection via `extratabspro::searchcategory()`, `extratabspro::searchproduct()` and `extratabspro::searchmanufacturer().'

CVE-2023-45375: [CVE-2023-45375] Improper neutralization of SQL parameter in 01generator.com - PireosPay module for PrestaShop

In the module "PireosPay" (pireospay) before version 1.7.10 from 01generator.com for PrestaShop, a guest can perform SQL injection via `PireosPayValidationModuleFrontController::postProcess().`

CVE-2023-45358: Archer Update for Multiple Vulnerabilities

Archer Platform 6.x before 6.13 P2 HF2 (6.13.0.2.2) contains a stored cross-site scripting (XSS) vulnerability. A remote authenticated malicious Archer user could potentially exploit this vulnerability to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. 6.14 (6.14.0) is also a fixed release.

Warning: Unpatched Cisco Zero-Day Vulnerability Actively Targeted in the Wild

Cisco has warned of a critical, unpatched security flaw impacting IOS XE software that’s under active exploitation in the wild. Rooted in the web UI feature, the zero-day vulnerability is assigned as CVE-2023-20198 and has been assigned the maximum severity rating of 10.0 on the CVSS scoring system. It’s worth pointing out that the shortcoming only affects enterprise networking gear that have

CVE-2022-22377: Security Bulletin: IBM Security Verify Privilege On-Premise is affected by multiple security vulnerabilities

IBM Security Verify Privilege On-Premises 11.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 221827.

CVE-2023-4215

Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials.