Cross-Site Scripting

This vulnerability allows an attacker to inject malicious scripts into web pages by manipulating SVG diagrams created with the affected software. It occurs when user-defined styles and classes are not properly secured, enabling the attacker to execute harmful code if the diagrams are rendered in a web application.

This vulnerability allows attackers to run malicious scripts on the OpenSourcePOS platform, potentially stealing sensitive information from users or manipulating transactions. It occurs when an attacker can inject harmful code into the item management or sales invoice sections, which requires them to have access to those functions in the application.

This vulnerability allows attackers to run malicious scripts on a user's browser by injecting harmful code into the Item Category field when generating barcodes. It requires the attacker to have access to the web interface of OpenSourcePOS, making it important for users to be cautious about input validation and access controls.

This vulnerability allows attackers to run malicious scripts in a user's browser by injecting harmful code into the Phone Number field in the Customers function of OpenSourcePOS v3.4.1. It requires the attacker to trick a user into visiting a page where this code is executed, potentially leading to data theft or session hijacking.

This vulnerability allows an attacker to inject malicious scripts into the HP App for Android, potentially compromising user data or hijacking sessions. It mainly affects users who are running outdated versions of the app on their mobile devices, so updating to the latest version is crucial for protection.

This vulnerability allows an attacker to inject malicious scripts into the settings page of the lty628 aidigu application, which could then execute in the browsers of users visiting that page. To exploit this, the attacker needs to have access to the "intro" field on the settings page, where user input is not properly checked for harmful content.

This vulnerability allows an attacker to inject malicious JavaScript code into the content pages of the Aimeos GrapesJS CMS, potentially leading to a stored cross-site scripting (XSS) attack. This can happen if the site's standard security feature, the Content Security Policy, is turned off and the attacker has access as an editor.

This vulnerability allows an attacker to inject malicious scripts into web pages created with the Live Composer Page Builder, which can then execute when users visit those pages, potentially stealing sensitive information or hijacking user sessions. It affects versions from the earliest release up to 1.5.42, meaning any site using these versions is at risk if they allow untrusted input to be included in the page content.

This vulnerability allows an attacker to inject malicious scripts into web pages created with the Live Composer Page Builder, which can then be executed in the browsers of users who visit those pages. It affects versions from the earliest release up to 1.5.42, meaning if you're using one of those versions, your site could be at risk if proper input validation isn't implemented.

This vulnerability allows an attacker to inject malicious scripts into the restaurant reservation system, which can then execute in the browsers of users who visit the affected page. To exploit this, the attacker needs to craft a specially designed URL that includes the harmful script in the Date parameter, tricking users into clicking it.

This vulnerability allows an attacker to inject malicious JavaScript into the OpenProject application, potentially compromising other users' accounts. To exploit this, the attacker needs permissions to edit work packages and add attachments, and they could use this to target a System Admin for privilege escalation.

An attacker can create a malicious link that, when saved by a user in Esri Portal for ArcGIS, can run harmful JavaScript code in that user's web browser. This can be done by anyone, even without special permissions, as long as they are logged in to the system.

This vulnerability allows an attacker with basic access to create a malicious link that, when clicked by a user, can run harmful JavaScript code in their browser. The attacker only needs to be logged in with low-level permissions, making it relatively easy to exploit.

This vulnerability allows an attacker who is already logged into the ESPHome dashboard to inject malicious scripts, potentially stealing session cookies and taking control of the dashboard to manipulate configuration files and firmware. To exploit this, the attacker needs to craft a specific request and trick another logged-in user into visiting a modified edit page.

This vulnerability allows an attacker to inject malicious scripts into web pages created with the Live Composer Page Builder, which can then be executed in the browsers of users visiting those pages. It affects versions up to 1.5.23, and for the attack to work, the attacker needs to have access to a way to input content into the page builder.

This vulnerability allows an attacker to inject malicious scripts into web pages viewed by users of the Gravity Master Product Enquiry plugin for WooCommerce, potentially leading to unauthorized actions or data theft. It can be exploited by anyone without needing to log in, as long as they can trick users into clicking on a specially crafted link.

This vulnerability allows an attacker with contributor-level access to inject malicious scripts into the CBX Map plugin, which can then execute in the browsers of users who view the affected maps. This means that if an attacker can get contributor access, they can potentially steal sensitive information or perform actions on behalf of other users.

This vulnerability allows an attacker with contributor-level access or higher to inject malicious scripts into the Medialist plugin, which can then be executed in the browsers of users who view the affected content. This means that if an attacker can log in as a contributor or more privileged user, they can potentially steal sensitive information or perform actions on behalf of other users.

This vulnerability allows an attacker with administrative access to inject malicious scripts into the authLdap plugin, which can then be executed in the browsers of other users. It affects versions up to 2.5.9, meaning that if you're using an outdated version and have admin privileges, you could unintentionally expose other users to harmful content.

This vulnerability allows attackers to inject malicious scripts into the WordPress login form, potentially leading to stored cross-site scripting (XSS) attacks, which can compromise user accounts. It occurs because the DoLogin Security plugin fails to properly clean up IP addresses from the X-Forwarded-For header, and it affects versions before 3.7.