| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.
Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking. |
| Inappropriate implementation in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) |
| PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Starting in version 1.7.7 and prior to version 2.0.3, dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent. Certain conditions must exist for the vulnerability to be exploitable. Only macOS or Linux users are affected, due to the way the `>` character is treated in a file name on Windows. The PrivateBin instance needs to have file upload enabled. An attacker needs to have access to the local file system or somehow convince the user to create (or download) a malicious file (name). An attacker needs to convince the user to attach that malicious file to PrivateBin. Any Mac / Linux user who can be tricked into dragging a maliciously named file into the editor is impacted; code runs in the origin of the PrivateBin instance they are using. Attackers can steal plaintext, passphrases, or manipulate the UI before data is encrypted, defeating the zero-knowledge guarantees for that victim session, assuming counter-measures like Content-Security-Policy (CSP) have been disabled. If CSP is not disabled, HTML injection attacks may be possible - like redirecting to a foreign website, phishing etc. As the whole exploit needs to be included in the file name of the attached file and only affects the local session of the user (aka it is neither persistent nor remotely executable) and that user needs to interact and actively attach that file to the paste, the impact is considered to be practically low. Version 2.0.3 patches the issue. |
| Reflected cross-site scripting vulnerability in Apache OFBiz.
This issue affects Apache OFBiz: before 24.09.03.
Users are recommended to upgrade to version 24.09.03, which fixes the issue. |
| A vulnerability classified as problematic has been found in OFCMS 1.1.2. This affects the function add of the file /admin/system/dict/add.json?sqlid=system.dict.save. The manipulation of the argument dict_value leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey Groundhogg groundhogg allows Stored XSS.This issue affects Groundhogg: from n/a through <= 4.2.6. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in colabrio Ohio Extra ohio-extra allows DOM-Based XSS.This issue affects Ohio Extra: from n/a through <= 3.6.0. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SeventhQueen K Elements k-elements allows DOM-Based XSS.This issue affects K Elements: from n/a through < 5.5.0. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StylemixThemes Consulting Elementor Widgets consulting-elementor-widgets allows DOM-Based XSS.This issue affects Consulting Elementor Widgets: from n/a through <= 1.4.2. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matias Ventura Gutenberg gutenberg allows Stored XSS.This issue affects Gutenberg: from n/a through <= 21.8.2. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premmerce Premmerce User Roles premmerce-user-roles allows Stored XSS.This issue affects Premmerce User Roles: from n/a through <= 1.0.13. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows Stored XSS.This issue affects Premmerce Product Search for WooCommerce: from n/a through <= 2.2.4. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc Import from YML import-from-yml allows Reflected XSS.This issue affects Import from YML: from n/a through <= 3.1.17. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference Theme Custom Post Type grandconference-custom-post allows Reflected XSS.This issue affects Grand Conference Theme Custom Post Type: from n/a through < 2.6.4. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ReyCommerce Rey Core rey-core allows Stored XSS.This issue affects Rey Core: from n/a through <= 3.1.8. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TieLabs Jannah - Extensions jannah-extensions allows DOM-Based XSS.This issue affects Jannah - Extensions: from n/a through <= 1.1.4. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeSphere SmartMag smart-mag allows Stored XSS.This issue affects SmartMag: from n/a through <= 10.3.1. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TieLabs Sahifa sahifa allows DOM-Based XSS.This issue affects Sahifa: from n/a through < 5.8.6. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Email Template Customizer for WooCommerce email-template-customizer-for-woo allows Stored XSS.This issue affects Email Template Customizer for WooCommerce: from n/a through <= 1.2.17. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.This issue affects Easy Social Share Buttons: from n/a through < 10.7.1. |
