Unauthenticated attackers can inject malicious scripts into Cisco Unified CCX's web management interface due to insufficient input validation, enabling XSS attacks against administrators and users. Successful exploitation allows arbitrary JavaScript execution within the browser context or theft of sensitive session information. No patch is currently available.
Unauthenticated attackers can inject malicious scripts into the web management interfaces of multiple Cisco contact center products (Finesse, Packaged CCE, Unified CCE, Unified CCX, and Unified Intelligence Center) due to insufficient input validation. Successful exploitation allows arbitrary script execution in the victim's browser context, potentially enabling session hijacking or credential theft from administrators. No patch is currently available for this cross-site scripting vulnerability.
Reflected XSS in the Organization Portal System's IFTOP module enables authenticated attackers to inject malicious JavaScript that executes in victims' browsers via social engineering or phishing links. This vulnerability requires user interaction to trigger and affects confidentiality and integrity with no current patch available.
WellChoose's IFTOP Organization Portal System contains an open redirect vulnerability that permits authenticated attackers to craft deceptive URLs capable of redirecting users to malicious websites. The vulnerability requires user interaction to trigger and affects cross-origin requests, enabling credential theft or malware distribution through social engineering. No patch is currently available to remediate this issue.
The Lenovo Virtual Bus driver in Smart Connect contains a buffer overflow that allows local authenticated users to corrupt memory and trigger system crashes on Windows systems. This vulnerability requires valid credentials and local access, limiting exposure to users already present on affected machines. No patch is currently available to address this issue.
The LatePoint Calendar Booking Plugin for WordPress versions up to 5.2.7 contains a cross-site request forgery vulnerability in the reload_preview() function due to missing nonce validation, allowing unauthenticated attackers to modify plugin settings and inject malicious scripts if a site administrator can be tricked into clicking a malicious link. An attacker exploiting this vulnerability can alter configurations and inject web-based payloads that execute in the administrator's browser session. No patch is currently available for this vulnerability.
Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.
The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 exposes sensitive form data and settings through an unauthenticated URL parameter that regenerates JSON files, allowing attackers to download administrator email addresses and other configuration details. This vulnerability affects WordPress installations using the vulnerable plugin versions when admin notifications are enabled. No patch is currently available for this medium-severity information disclosure.
A vulnerability was identified in strukturag libheif up to 1.21.2. This impacts the function Track::load of the file libheif/sequences/track.cc of the component stsz/stts. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. Applying a patch is the recommended action to fix this issue. The patch available is...
A vulnerability was determined in strukturag libheif up to 1.21.2. This affects the function vvdec_push_data2 of the file libheif/plugins/decoder_vvdec.cc of the component HEIF File Parser. Executing a manipulation of the argument size can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. This patch is called b97c8b...
ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by heap-based buffer overflow (CVSS 5.7).
Command injection in H3C ACG1000-AK230 through the /webui/?aaa_portal_auth_local_submit endpoint allows unauthenticated remote attackers to execute arbitrary commands by manipulating the suffix parameter. Public exploit code exists for this vulnerability, which affects versions up to 20260227 with no patch currently available. The vulnerability carries a CVSS score of 7.3 and provides attackers with partial access to confidentiality, integrity, and availability.
OpenBMB XAgent 1.0.0 contains a path traversal vulnerability in the workspace router that allows unauthenticated remote attackers to manipulate the file_name parameter and access or modify arbitrary files on the system. Public exploit code is available for this vulnerability, which affects the integrity and availability of the application. The vendor has not yet released a patch despite early notification of the issue.
Server-side request forgery in multiple Adobe Commerce versions allows high-privileged attackers to bypass security controls by manipulating internal server requests without user interaction. Affected versions include 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, and 2.4.4-p16 or earlier. No patch is currently available.
Server-side request forgery in Adobe Commerce 2.4.4 through 2.4.9-alpha3 enables high-privileged attackers to bypass security controls and access unauthorized resources without user interaction. The vulnerability affects multiple versions across the Commerce and Commerce B2B product lines, allowing manipulation of internal server requests from an authenticated administrative context. No patch is currently available.
The Lenovo Virtual Bus driver in Smart Connect contains a divide-by-zero flaw that enables local authenticated users to trigger a system crash (blue screen). No patch is currently available, leaving affected Windows systems vulnerable to denial-of-service attacks by privileged local users.
Quill before v0.7.1 is susceptible to denial of service through unbounded memory allocation when processing maliciously crafted Mach-O binaries. Environments accepting externally-submitted binaries for signing—such as CI/CD pipelines and shared signing services—face resource exhaustion attacks if they process attacker-controlled files. An authenticated local attacker can trigger excessive memory consumption by exploiting unvalidated size fields in code signing structures, causing the application to crash or hang.
Lenovo PC Manager permits local authenticated users to terminate privileged processes due to improper privilege management, potentially disrupting system operations or enabling denial of service. An attacker with valid credentials could leverage this vulnerability to halt critical processes without administrative approval. No patch is currently available to address this issue.
Frappe is a full-stack web application framework. versions up to 14.100.2 is affected by cross-site scripting (xss).
A security vulnerability in StudioCMS (CVSS 5.4). Remediation should follow standard vulnerability management procedures.
Unauthorized post duplication in Happy Addons for Elementor (WordPress plugin) versions up to 3.21.0 allows authenticated contributors and above to clone any published content by reusing a nonce from their own posts and modifying the target post ID. The vulnerability stems from insufficient object-level permission checks in the duplicate function, which only validates generic edit capabilities rather than verifying access to specific posts. Attackers can exploit this to duplicate other users' posts, pages, or custom post types without authorization.
Stored XSS in Adobe Commerce 2.4.4 through 2.4.9-alpha3 allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when victims view the affected pages. The vulnerability requires user interaction and could lead to session hijacking, credential theft, or malware distribution within Commerce environments. No patch is currently available for affected versions.
Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims access pages containing the injected payload, the JavaScript executes in their browser context, potentially leading to session hijacking, credential theft, or other client-side attacks. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged users to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can leverage this vulnerability to steal session tokens, credentials, or perform actions on behalf of victims within the AEM environment. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials can compromise other users' sessions and steal sensitive data by crafting specially crafted input. Currently no patch is available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker with valid credentials could leverage this vulnerability to steal session tokens, modify page content, or perform actions on behalf of victims who view the compromised forms. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in users' browsers when the page is viewed. An attacker with login credentials can craft payloads in vulnerable fields to steal session data or perform actions on behalf of victims. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can leverage this to steal session tokens, perform unauthorized actions, or redirect victims to malicious sites when they view compromised pages. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts through form fields that execute in other users' browsers. An attacker with valid credentials can craft payloads to steal session tokens, redirect users, or perform actions on their behalf when victims view affected pages. No patch is currently available for this vulnerability.
Adobe Experience Manager 6.5.23 and earlier contain a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts executed in other users' browsers. An attacker can exploit this to steal credentials, perform unauthorized actions, or deface content when victims access affected pages. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. This requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims within the application context. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the compromised pages. The vulnerability requires low privileges and user interaction, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker can exploit this vulnerability to steal session tokens, perform unauthorized actions, or redirect users to malicious sites through script execution in victims' browsers. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with valid credentials can exploit this vulnerability to steal session tokens, perform actions on behalf of victims, or redirect users to malicious sites. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in other users' browsers. An attacker can exploit this vulnerability to perform actions on behalf of victims or steal sensitive information when they visit pages containing the compromised fields. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields that execute in victims' browsers. An attacker can exploit this vulnerability by injecting JavaScript that runs when other users access pages containing the compromised fields, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in other users' browsers. An attacker could exploit this to steal session tokens, redirect users, or perform actions on behalf of victims viewing affected pages. No patch is currently available.
Adobe Experience Manager 6.5.23 and earlier contains a stored XSS vulnerability in form fields that allows low-privileged authenticated users to inject malicious scripts. When victims visit pages containing the injected payload, the attacker's JavaScript executes in their browser, potentially compromising user sessions or stealing sensitive data. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in other users' browsers. An attacker with low privileges can craft malicious input that persists in the application and compromises confidentiality and integrity for victims who access the affected pages. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged authenticated users to inject malicious scripts into form fields that execute in victims' browsers when the contaminated pages are viewed. An attacker with valid credentials can exploit this to steal session tokens, credentials, or perform actions on behalf of affected users. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when users view the affected pages. A low-privileged user can exploit this to perform actions in the context of other users' browsers, potentially compromising session integrity and enabling credential theft or data exfiltration. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows low-privileged attackers to inject malicious scripts into form fields that execute when victims view affected pages. The vulnerability requires user interaction and can result in session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. The vulnerability requires low-level privileges and user interaction to exploit, enabling attackers to steal session data or perform actions on behalf of victims. No patch is currently available for this medium-severity issue.
Stored XSS in Adobe Experience Manager versions 6.5.23 and earlier enables low-privileged attackers to embed malicious scripts in form fields that execute when legitimate users view the affected pages. An attacker with basic authentication can inject JavaScript that runs in victims' browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with login credentials can compromise victim browsers and potentially steal sensitive information or perform unauthorized actions within the application context. No patch is currently available for this vulnerability.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers with low privileges to inject malicious scripts into form fields, which execute in the browsers of users viewing those pages. The vulnerability requires user interaction and has limited scope of impact, affecting confidentiality and integrity but not availability. No patch is currently available for this medium-severity issue.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. An attacker with low privileges and user interaction can compromise the confidentiality and integrity of victim sessions. No patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute when other users view the affected pages. A low-privileged user can exploit this to perform actions in victim browsers or steal sensitive information, though no patch is currently available.
Stored XSS in Adobe Experience Manager 6.5.23 and earlier allows authenticated attackers to inject malicious scripts into form fields that execute in victims' browsers when the affected pages are viewed. The vulnerability requires user interaction and is limited to low-impact information disclosure and modification, though it can affect multiple users due to its stored nature. No patch is currently available for this issue.