Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-30319: Cross Site Scripting (XSS) in username field in ChatEngine 1.0 - Payatu

Cross Site Scripting (XSS) vulnerability in username field in /src/chatbotapp/LoginServlet.java in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.

CVE
Open in Source
#xss#vulnerability#web#java
Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

GHSA-gm68-572p-q28r: @vendure/admin-ui-plugin authenticated Cross-site Scripting vulnerability

### Impact Vendure provides an authorization system with different levels of privileges. For example, an administrator cannot create another administrator. In the admin UI, there are a couple of places with description inputs, such as inventory/collection catalog, shipping methods, promotions, and more. While the WYSIWYG editor allows limited customization, altering the request data (not in the ui) saves and returns arbitrary HTML with no sanitization. Causing an XSS when viewing the page. The impact of this XSS is privilege escalation. A user that can write any type of description can trigger the attack. Then any other user that visits the vulnerable page is prone to arbitrary Javascript code execution, giving the attacker ability to execute actions on behalf of this user. ### Patches in progress ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References _Are there any links users can visit to find out more?_

CVE-2023-24497: TALOS-2023-1704 || Cisco Talos Intelligence Group

Cross-site scripting (xss) vulnerabilities exist in the requestHandlers.js detail_device functionality of Milesight VPN v2.0.2. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger these vulnerabilities.This XSS is exploited through the remote_subnet field of the database

CVE-2023-30326: Cross Site Scripting (XSS) vulnerability in username field in chatbox functionality in ChatEngine 1.0 - Payatu

Cross Site Scripting (XSS) vulnerability in username field in /WebContent/WEB-INF/lib/chatbox.jsp in wliang6 ChatEngine commit fded8e710ad59f816867ad47d7fc4862f6502f3e, allows attackers to execute arbitrary code.

CVE-2023-30322: Cross Site Scripting (XSS) in username field in chatWindow functionality in ChatEngine 1.0 - Payatu

Cross Site Scripting (XSS) vulnerability in username field in /src/chatbotapp/chatWindow.java in Payatu ChatEngine v.1.0, allows attackers to execute arbitrary code.

CVE-2023-36970: CMS Made Simple v2.2.17 – Stored Cross-Site Scripting (XSS) (Authenticated)

A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function.

CVE-2023-37134: EyouCMS V1.6.3 "Basic Information" module has a storage cross-site vulnerability · Issue #47 · weng-xianhu/eyoucms

A stored cross-site scripting (XSS) vulnerability in the Basic Information module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2023-37132: Stored XSS exists in version 1.6.3, which can lead to stealing sensitive information of logged-in users · Issue #45 · weng-xianhu/eyoucms

A stored cross-site scripting (XSS) vulnerability in the custom variables module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2023-37136: EyouCMS V1.6.3 "Basic Website Information" module has cross-site storage vulnerability · Issue #49 · weng-xianhu/eyoucms

A stored cross-site scripting (XSS) vulnerability in the Basic Website Information module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.