The ABB Cylon Aspect BMS/BAS controller in versions <=3.08.02 is vulnerable to an authenticated stored cross-site scripting (XSS) flaw. An attacker can upload a malicious .txt file with XSS payload, which when stored on the server, can be served back to users. By injecting client-side scripts, attackers can execute arbitrary code in the context of any user accessing the infected file or related web page (license.php). Bypassing file upload checks requires including the Variant string in the request.
The feature 'http://localhost/gestioip/res/ip_mod_dns_key_form.cgi' in GestioIP 3.5.7 is susceptible to Stored XSS. An authenticated attacker can inject malicious code into the 'tsig_key' form field, which when saved to the database, can be triggered by any user accessing the 'DNS Key' page, resulting in the execution of malicious code.
The Exclusive Addons for Exclusive Addons for Elementor for WordPress, in versions up to and including 2.6.9, is vulnerable to stored cross-site scripting (XSS) via the 's' parameter. Improper input sanitization and output escaping allow an attacker with contributor-level permissions or higher to inject arbitrary JavaScript that executes when a user views the affected page.
The exploit involves uploading a ZIP file containing a malicious SVG file to achieve Cross Site Scripting (XSS) on Kentico Xperience version before 13.0.178. The malicious SVG file triggers an alert box when executed.
When using the 'insert media' feature in SilverStripe 5.3.8, the oEmbed JSON linked includes an unsanitized HTML attribute, allowing an attacker to execute a script payload on both the CMS and the website's front-end.
The MiniCMS version 1.10 is vulnerable to a Cross Site Scripting (XSS) attack. By injecting malicious script code into the 'date' parameter of the 'page.php' script, an attacker can execute arbitrary scripts in the context of the user's browser.
The code-projects Online Exam Mastering System 1.0 is prone to a Reflected Cross-Site Scripting (XSS) vulnerability in the 'q' parameter of feedback.php. This issue occurs because the application does not properly sanitize user-supplied input, enabling an attacker to execute arbitrary JavaScript code.
An authenticated stored Cross-Site Scripting (XSS) vulnerability was found in Pimcore's Data Object Classification Store feature. This vulnerability occurs due to inadequate input filtering, enabling an authenticated attacker having access to the classification store to insert harmful JavaScript code. When other users view the impacted data, this injected code runs within their browser context.
Reservit Hotel plugin version 2.1 does not properly sanitize and escape certain settings, allowing high privilege users, like admin, to execute Stored Cross-Site Scripting attacks. This vulnerability can be exploited even when the unfiltered_html capability is restricted.
A Cross-Site Scripting (XSS) vulnerability was found in CodeAstro Online Railway Reservation System version 1.0. This vulnerability allows attackers to insert and run malicious JavaScript code in the user's browser session.
Services By CQR