The exploit involves uploading a ZIP file containing a malicious SVG file to achieve Cross Site Scripting (XSS) on Kentico Xperience version before 13.0.178. The malicious SVG file triggers an alert box when executed.
The MiniCMS version 1.10 is vulnerable to a Cross Site Scripting (XSS) attack. By injecting malicious script code into the 'date' parameter of the 'page.php' script, an attacker can execute arbitrary scripts in the context of the user's browser.
The code-projects Online Exam Mastering System 1.0 is prone to a Reflected Cross-Site Scripting (XSS) vulnerability in the 'q' parameter of feedback.php. This issue occurs because the application does not properly sanitize user-supplied input, enabling an attacker to execute arbitrary JavaScript code.
An authenticated stored Cross-Site Scripting (XSS) vulnerability was found in Pimcore's Data Object Classification Store feature. This vulnerability occurs due to inadequate input filtering, enabling an authenticated attacker having access to the classification store to insert harmful JavaScript code. When other users view the impacted data, this injected code runs within their browser context.
A Cross-Site Scripting (XSS) vulnerability was found in CodeAstro Online Railway Reservation System version 1.0. This vulnerability allows attackers to insert and run malicious JavaScript code in the user's browser session.
GestioIP 3.5.7 is prone to an authenticated cross-site scripting vulnerability in the 'ip_do_job' feature. This could allow attackers to perform data exfiltration and cross-site request forgery (CSRF) attacks. The vulnerability can be exploited by injecting malicious scripts into parameters like 'host_id' and 'stored_config'.
The ABB Cylon Aspect BMS/BAS controller version 4.00.00 is vulnerable to unauthenticated reflected cross-site scripting (XSS) through the 'title' GET parameter. Attackers can execute malicious HTML/JS code in a user's browser within the context of the affected site.
A reflected cross-site scripting (XSS) vulnerability in Elaine's Realtime CRM Automation version 6.18.17 and below allows malicious users to run arbitrary JavaScript code in a victim's web browser by inserting a specially crafted payload into the dialog parameter at wrapper_dialog.php.
A Cross-Site Scripting (XSS) vulnerability was found in Sitefinity CMS versions prior to 15.0.0. The vulnerability exists in all features using SF-Editor in the backend of the CMS. An attacker with lower privileges can insert malicious XSS payloads in the content form, which will be executed when a user with higher privileges, the victim, views the affected page.
The Wordpress Plugin WP Video Playlist 1.1.1 is vulnerable to stored cross-site scripting (XSS) attack. An attacker can inject malicious scripts into the 'videoFields[post_type]' input field, leading to the execution of arbitrary code in the context of the user's browser. This can result in cookie theft, session hijacking, or other malicious activities.
Services By CQR