Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-35251

A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users. Hence the payloads are stored in messages, it is a persistent attack vector, which will trigger as soon as the message gets viewed.

CVE
Open in Source
#xss#vulnerability
CVE-2020-36521: About the security content of iCloud for Windows 7.21

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iCloud for Windows 11.4, iOS 14.0 and iPadOS 14.0, watchOS 7.0, tvOS 14.0, iCloud for Windows 7.21, iTunes for Windows 12.10.9. Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents.

CVE-2022-38704: SEO Redirection Plugin – 301 Redirect Manager

Cross-Site Request Forgery (CSRF) vulnerability in SEO Redirection plugin <= 8.9 at WordPress, leading to deletion of 404 errors and redirection history.

CVE-2022-40358

An issue was discovered in AjaXplorer 4.2.3, allows attackers to cause cross site scripting vulnerabilities via a crafted svg file upload.

CVE-2022-40748: IBM InfoSphere Information Server cross-site scripting CVE-2022-40748 Vulnerability Report

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 236586.

CVE-2022-35721: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721)

IBM Jazz for Service Management 1.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 231380.

CVE-2022-40359

Cross site scripting (XSS) vulnerability in kfm through 1.4.7 via crafted GET request to /kfm/index.php.

GHSA-w9mf-83w3-fv49: Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles

A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including version 19.0.1. The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality. Version 19.0.2 contains a patch for this issue. ### Credits Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz (@aytackalinci, @smileronin, @yasinyilmaz) - NETAŞ PENTEST TEAM

CVE-2022-40215

Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in Tabs plugin <= 3.7.1 at WordPress.

CVE-2022-36417: 3D Tag Cloud

Multiple Stored Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerability in 3D Tag Cloud plugin <= 3.8 at WordPress.