Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-29621: File Inclusion Vulnerabilities: What are they and how do they work?

Purchase Order Management v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

CVE
Open in Source
#xss#vulnerability#web#mac#js#java#php#backdoor#rce#auth#ssl
CVE-2023-29623: CVE-nu11secur1ty/vendors/oretnom23/2023/Purchase-Order-Management-1.0/XSS-Reflected at main · nu11secur1ty/CVE-nu11secur1ty

Purchase Order Management v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the password parameter at /purchase_order/classes/login.php.

CVE-2023-27890: MyBB Export User 2.0 Cross Site Scripting ≈ Packet Storm

** UNSUPPORTED WHEN ASSIGNED ** The Export User plugin through 2.0 for MyBB allows XSS during the process of an admin generating DSGVO data for a user, via the Custom User Title, Location, or Bio field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

GHSA-mg46-f9h5-g27x: Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation

The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power. Please update to Apache Sling Engine version 2.14.0 or newer and enable the "Check Content-Type overrides" configuration option.

GHSA-4h2q-84w7-4mhx: nilsteampassnet/teampass vulnerable to stored cross-site scripting (XSS)

nilsteampassnet/teampass prior to 3.0.3 is vulnerable to stored cross-site scripting (XSS) in the description parameter of a folder.

CVE-2022-44625: WordPress Cyklodev WP Notify plugin <= 1.2.1 - Auth. Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting') vulnerability in Zephilou Cyklodev WP Notify plugin <= 1.2.1 versions.

CVE-2022-45358: WordPress Activello theme <= 1.4.4 - Auth. Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions.

CVE-2023-2021: 3.0.3 · nilsteampassnet/TeamPass@77c541a

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3.

CVE-2022-45064

The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power. Please update to Apache Sling Engine >= 2.14.0 and enable the "Check Content-Type overrides" configuration option.

GHSA-f4g6-c47x-qhww: Microweber vulnerable to cross-site scripting (XSS)

microweber/microweber prior to 1.3.3 is vulnerable to cross-site scripting (XSS) in the template selection while changing a group template.