Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-46771: IBM UrbanCode Deploy (UCD) cross-site scripting CVE-2022-46771 Vulnerability Report

IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.18, 7.0.5.0 through 7.0.5.13, 7.1.0.0 through 7.1.2.9, 7.2.0.0 through 7.2.3.2 and 7.3.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 242273.

CVE
Open in Source
#xss#vulnerability#web#java#ibm
CVE-2022-4619: Sidebar Widgets by CodeLights

The Sidebar Widgets by CodeLights plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Extra CSS class’ parameter in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Senayan Library Management System 9.2.1 Cross Site Scripting

Senayan Library Management System version 9.2.1 suffers from a cross site scripting vulnerability.

Akamai wrestles with AWS S3 web cache poisoning bug

Definitive solution is ‘non-trivial’ since behavior arises from customers processing non-RFC compliant requests

CVE-2022-23543: Own HTML attributes when attaching a YouTube link to the post

Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related `<iframe>` when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. `onclick=alert("xss")`) to the `<iframe>'. This issue was fixed in the version `1.1.34` and does not require any extra actions from our members. There has been no evidence that this vulnerability was used by anyone at this time.

CVE-2022-43887: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to sensitive information exposure by passing API keys to log files. If these keys contain sensitive information, it could lead to further attacks. IBM X-Force ID: 240450.

CVE-2022-44488: Adobe Security Bulletin

Adobe Experience Manager version 6.5.14 (and earlier) is affected by a URL Redirection to Untrusted Site ('Open Redirect') vulnerability. A low-privilege authenticated attacker could leverage this vulnerability to redirect users to malicious websites. Exploitation of this issue requires user interaction.

CVE-2022-4615: Cross Site Scripting (reflected) on fee_sheet_ajax.php in openemr

Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.2.

CVE-2022-4614: XSS to LFI in Runcode Feature in znote-app

Cross-site Scripting (XSS) - Stored in GitHub repository alagrede/znote-app prior to 1.7.11.

CVE-2022-40435: Employee Performance Evaluation System v1.0 — Persistent Cross-Site Scripting (XSS) — ‘Departments and Designations Module’.

Employee Performance Evaluation System v1.0 was discovered to contain a persistent cross-site scripting (XSS) vulnerability via adding new entries under the Departments and Designations module.