The feature 'http://localhost/gestioip/res/ip_mod_dns_key_form.cgi' in GestioIP 3.5.7 is susceptible to Stored XSS. An authenticated attacker can inject malicious code into the 'tsig_key' form field, which when saved to the database, can be triggered by any user accessing the 'DNS Key' page, resulting in the execution of malicious code.
The Exclusive Addons for Exclusive Addons for Elementor for WordPress, in versions up to and including 2.6.9, is vulnerable to stored cross-site scripting (XSS) via the 's' parameter. Improper input sanitization and output escaping allow an attacker with contributor-level permissions or higher to inject arbitrary JavaScript that executes when a user views the affected page.
When using the 'insert media' feature in SilverStripe 5.3.8, the oEmbed JSON linked includes an unsanitized HTML attribute, allowing an attacker to execute a script payload on both the CMS and the website's front-end.
Reservit Hotel plugin version 2.1 does not properly sanitize and escape certain settings, allowing high privilege users, like admin, to execute Stored Cross-Site Scripting attacks. This vulnerability can be exploited even when the unfiltered_html capability is restricted.
A stored cross-site scripting (XSS) vulnerability is found in ResidenceCMS 2.10.1. This vulnerability permits a user with low privileges to insert malicious HTML content as a stored XSS payload within property pages. When the affected property page is accessed by any user, including the administrator, the XSS payload gets executed.
CMU CERT/CC VINCE 2.0.6 web platform is prone to a stored cross-site scripting vulnerability. Attackers can inject arbitrary HTML/JS code through the 'content' POST parameter, which is not properly sanitized. This allows malicious code execution in the context of the affected user's browser session.
A Stored Cross Site Scripting (XSS) vulnerability exists in OpenCMS 17.0 in the author field when publishing an article. By crafting a malicious script in the author field, an attacker can execute arbitrary scripts on users who click on the 'Read More' button, potentially leading to unauthorized actions.
The TimeProvider 4100 grandmaster firmware through version 2.4.7 is vulnerable to stored Cross-Site Scripting (XSS) in the custom banner configuration field. An attacker exploiting this vulnerability can run arbitrary scripts in a user's context.
Garage Management System 1.0 is vulnerable to stored XSS due to inadequate client-side validation. An attacker can manipulate a request using tools like Burp Suite to evade validation, leading to the injection of malicious scripts into the 'categoriesName' parameter. This can result in the execution of arbitrary scripts in the context of the user's browser.
A stored XSS vulnerability in Nagios Log Server 2024R1.3.1 allows a low-privileged user to inject malicious JavaScript into the 'email' field of their profile. When an administrator views the audit logs, the script executes, resulting in privilege escalation via unauthorized admin account creation. The vulnerability can be chained to achieve remote code execution (RCE) in certain configurations.
Services By CQR