A vulnerability in the HTML table tag with the style attribute set to position:absolute;clip:rect(0) allows an attacker to inject malicious JavaScript code into a web page. The code is executed when the page is rendered in the browser. This vulnerability affects all versions of Internet Explorer prior to version 8.0. The vulnerability can be exploited by an attacker to gain access to sensitive information or to execute malicious code on the user's system.
If 'install.php' was not removed after installation, an attacker can create an HTML file with a form containing a text input and a submit button. The form action should be set to the path of the 'install.php' file on the victim server. After opening the HTML file, the attacker can enter any step of the installation they would like to access. Step '3' contains the most sensitive information.
KnowledgeTree 3.5.2 Community Edition is vulnerable to a permanent XSS vulnerability. This vulnerability can be exploited by entering malicious JavaScript code into the search box or search criteria and saving the search. These searches can be shared with all users, enabling the insertion of malicious JavaScript code. To exploit this vulnerability, a user can load http://localhost/dashboard.php or http://localhost/search2.php?action=searchResults in the textbox, enter <script>alert('moo')</script> and save the search. The saved search can then be loaded to view the result.
A Cross-Site Scripting (XSS) vulnerability exists in ORACLE Business Process Management (Process Administrator) version 5.7-6.0-10.3 +MP's. The vulnerability is due to insufficient sanitization of user-supplied input in the web-based user interface for managing the process execution environment, including process definitions, process instances, and process services. An attacker can exploit this vulnerability by sending a maliciously crafted request to the vulnerable application. Successful exploitation could result in the execution of arbitrary HTML and script code in the context of the affected application.
dotDefender is prone to a XSS because it doesn't satinate the input vars correctly. Injecting obfusctated JavaScript code based on references vars assignment, the dotDefender WAF is vulnerable. Blocked: [victim]/search?q=%3Cimg%20src=%22WTF%22%20onError=%22{var%20{3:s,2:h,5:a,0:v,4:n,1:e}=%27earltv%27}[self][0][v%2Ba%2Be%2Bs]%28e%2Bs%2Bv%2Bh%2Bn%29%28/0wn3d/.source%29%22%20/%3E Unblocked: [victim]/search?q=%3Cimg%20src=%22WTF%22%20onError=alert(/0wn3d/.source) %20/%3E
When attackers login with user information, attackers can update their profile by injecting javascript into fields like 'First Name' and 'Title'.
A permanent XSS vulnerability exists in InterScan Web Security Virtual Appliance 5.0. An attacker can send a specially crafted HTTP request with malicious JavaScript code to the vulnerable application in order to execute arbitrary code in the context of the user's browser. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Axis2 is a web services/SOAP/WDSL engine, widely used within many commercial products Procheckup has found it is vulnerable to a vanilla Cross-Site Scripting Vulnerability (XSS). Axis2 is used within SAP Business Objects 12 and 3com's IMC network management tool.
A Stored Cross-Site Scripting (XSS) vulnerability was found within the Palo Alto interface. By crafting a URL that includes XSS code it is possible to inject malicious data, redirect the user to a bogus replica of the real website, or other nefarious activity.
The vulnerability exists due to failure in the "/_layouts/help.aspx" script to properly sanitize user-supplied input in "cid0" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. An attacker can use browser to exploit this vulnerability.
Services By CQR