The ABB Cylon Aspect BMS/BAS controller in versions <=3.08.02 is vulnerable to an authenticated stored cross-site scripting (XSS) flaw. An attacker can upload a malicious .txt file with XSS payload, which when stored on the server, can be served back to users. By injecting client-side scripts, attackers can execute arbitrary code in the context of any user accessing the infected file or related web page (license.php). Bypassing file upload checks requires including the Variant string in the request.
The ABB BMS/BAS controller in ABB Cylon Aspect 3.08.02 allows authenticated users to store malicious scripts. By manipulating the 'host' POST parameter, an attacker can inject arbitrary HTML/JS code into the application. This can lead to the execution of unauthorized code within the user's browsing session.
An attacker can exploit a stored Cross-Site Scripting vulnerability in Backdrop CMS 1.23.0 by inserting malicious scripts into the body of a post. By crafting a specific payload and saving the post, the attacker can execute arbitrary scripts in the context of other users' browsers.
SnipeIT version 6.2.1 is vulnerable to stored cross-site scripting (XSS) allowing attackers to run malicious JavaScript code. The specific vulnerability lies in the location endpoint.
The MISP version 2.4.171 is prone to a stored cross-site scripting vulnerability. An authenticated attacker can inject malicious scripts into the 'Name' parameter when adding a cluster under the 'Galaxies' section, leading to the execution of arbitrary scripts in the context of the victim's browser. This vulnerability has been assigned CVE-2023-37307.
A Stored Cross Site Scripting (XSS) vulnerability in Petrol Pump Management Software v1.0 allows attackers to execute malicious code by injecting a crafted payload into the Address parameter in the add_invoices.php component.
SnipeIT version 6.2.1 is prone to a stored cross-site scripting (XSS) vulnerability, which could allow attackers to execute arbitrary JavaScript code. The vulnerability exists in the location endpoint.
A stored cross-site scripting vulnerability exists in the Responsive E-Learning System 1.0, which allows an attacker to inject malicious JavaScript code into the application. By exploiting this vulnerability, an attacker can gain access to the application and execute malicious code on the victim's browser.
IBM WebSphere Portal is prone to a stored Cross-Site Scripting (XSS) vulnerability in the Web Content Management component, which allows authenticated users to inject arbitrary JavaScript. A potential attacker authenticated to the Web Content Management can exploit this vulnerability by creating a malicious web content and persuading the victim to visit it. This issue can lead to different kind of user-targeted attacks such as cookie stealing and account violation.
An attacker can send a SOAP request with JavaScript embedded inside it, which gets stored in the database. When an administrator monitors the Traps’ admin screen and opens details about the vulnerability, the JavaScript is executed on the admin browser.
Services By CQR