Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-28367: VK Blocks / ExUnit の脆弱性について

Cross-site scripting vulnerability in CTA post function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script.

CVE
Open in Source
#xss#vulnerability#wordpress#auth
CVE-2023-27922: WordPress Plugin "Newsletter" vulnerable to cross-site scripting

Cross-site scripting vulnerability in Newsletter versions prior to 7.6.9 allows a remote unauthenticated attacker to inject an arbitrary script.

CVE-2023-25440: CiviCRM 5.59.alpha1 Cross Site Scripting ≈ Packet Storm

Stored Cross Site Scripting (XSS) vulnerability in the add contact function CiviCRM 5.59.alpha1, allows attackers to execute arbitrary code in first/second name field.

CVE-2023-31664: Issues · wso2/api-manager

A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter.

CVE-2023-31816: GitHub - TzssZ/Content-Management-System-v1.0-has-Cross-site-Scripting-XSS-: Content Management System In PHP With Source Code has Cross-site Scripting (XSS)

IT Sourcecode Content Management System Project In PHP and MySQL With Source Code 1.0.0 is vulnerable to Cross Site Scripting (XSS) via /ecodesource/search_list.php.

GHSA-8775-5hwv-wr6v: Potential for cross-site scripting in PostHog-js

### Impact Potential for cross-site scripting in `posthog-js`. ### Patches The problem has been patched in `posthog-js` version 1.57.2. ### Workarounds - This isn't an issue for sites that have a Content Security Policy in place. - Using the HTML tracking snippet on PostHog Cloud always guarantees the latest version of the library – in that case no action is required to upgrade to the patched version. ### References We will publish details of the vulnerability in 30 days as per our [security policy](https://posthog.com/handbook/company/security#policies).

GHSA-x7c2-7wvg-jpx7: kiwitcms vulnerable to stored XSS via unrestricted files upload

### Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded, see [GHSA-fwcf-753v-fgcj](https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-fwcf-753v-fgcj) and Content-Security-Policy definition to prevent cross-site-scripting attacks, see [GHSA-2wcr-87wf-cf9j](https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j). The upload validation checks were not robust enough which left the possibility of an attacker to circumvent them and upload a potentially dangerous file. Exploting this flaw a combination of files could be uploaded so that they work together to circumvent the existing Content-Security-Policy and allow execution of arbitrary JavaScript in the browser. ### Patches - File upload validation code has been improved - Kiwi TCMS will now force `Content-Type: text/plain` when serving uploaded files ...

CVE-2023-28467: User CP email persistent XSS

In MyBB before 1.8.34, there is XSS in the User CP module via the user email field.

CVE-2023-31584: GitHub - cu/silicon: Silicon Notes, a web-based personal knowledge base with few frills

GitHub repository cu/silicon commit a9ef36 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the User Input field.

W3 Eden Download Manager 3.2.70 Cross Site Scripting

W3 Eden Download Manager versions 3.2.70 and below suffer from a persistent cross site scripting vulnerability via ShortCode.