Tag
#xss
Farmacia Gama version 1.0 suffers from an insecure direct object reference vulnerability.
Employee Management System version 1.0 suffers from an ignored default credential vulnerability.
Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+ that could be abused to gain root privileges to the devices and stage follow-on attacks. The elevated access could then be weaponized to decrypt encrypted firmware files and encrypted data such as passwords in configuration files, and even get correctly signed X.509 VPN certificates for foreign
The [proxy endpoint](https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/backend/rest/ProxyResource.java#L83) of openHAB's CometVisu add-on can be accessed without authentication. This proxy-feature can be exploited as Server-Side Request Forgery (SSRF) to induce GET HTTP requests to internal-only servers, in case openHAB is exposed in a non-private network. Furthermore, this proxy-feature can also be exploited as a Cross-Site Scripting (XSS) vulnerability, as an attacker is able to re-route a request to their server and return a page with malicious JavaScript code. Since the browser receives this data directly from the openHAB CometVisu UI, this JavaScript code will be executed with the origin of the CometVisu UI. This allows an attacker to exploit call endpoints on an openHAB server even if the openHAB server is located in a private network. (e.g. by sending an openHAB...
E-Commerce Site using PHP PDO version 1.0 suffers from a cross site scripting vulnerability.
Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code.
Journyx version 11.5.4 suffers from a cross site scripting vulnerability due to mishandling of the error_description during an active directory login flow.
Debian Linux Security Advisory 5743-1 - Multiple cross-site scripting vulnerabilities were discovered in RoundCube webmail.
Open WebUI version 0.1.105 suffers from a persistent cross site scripting vulnerability.
Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.