Monthly
Cross-site scripting in parisneo/lollms prior to version 2.2.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious HTML payloads injected through the unsanitized `content` field in the `AppLollmsMessage.from_dict` deserialization method. The changed scope (CVSS S:C) indicates impact beyond the vulnerable component, enabling session hijacking, account takeover, and potentially wormable attacks. Publicly available exploit code exists (reported via huntr.com bug bounty). EPSS data not provided, but the low attack complexity (AC:L) and network attack vector (AV:N) combined with high confidentiality impact (C:H) and scope change indicate significant exploitation risk for applications exposing this deserialization functionality to untrusted input.
Stored cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in ChatHeadersMiddleware, requiring user interaction to trigger. The vulnerability has a low CVSS score (3.5) due to requiring authentication and user interaction, but XSS can lead to session hijacking or credential theft. Vendor-released patch version 2.8.0 addresses this issue.
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in the StaticHeadersMiddleware component of the Public Chat Interface. The vulnerability requires user interaction (UI:R) and has low confidentiality impact but enables persistent code execution in user browsers. Publicly available exploit code exists, and vendor-released patch version 2.8.0 resolves the issue.
Reflected cross-site scripting (XSS) in Rukovoditel CRM 3.6.4's Zadarma telephony API endpoint allows remote attackers to execute arbitrary JavaScript in victim browsers without authentication. The vulnerability stems from direct reflection of the 'zd_echo' GET parameter without sanitization. With CVSS 9.3 (Critical), changed scope (S:C), and no authentication required (PR:N), this enables session hijacking and account takeover via malicious links. No public exploit identified at time of analysis, though proof-of-concept is trivial given the code-level disclosure. EPSS data not available.
Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.
Stored Cross-Site Scripting in BlockArt Blocks plugin for WordPress allows authenticated attackers with Author-level or higher permissions to inject arbitrary JavaScript into page content via the 'clientId' block attribute due to insufficient input sanitization and output escaping. An attacker can craft malicious block content that executes in the browsers of all users viewing the compromised page. The vulnerability affects all versions up to and including 2.2.15, with a fix available in version 2.3.0.
Stored cross-site scripting in GreenShift - Animation and Page Builder Blocks plugin for WordPress up to version 12.8.9 allows authenticated contributors to inject arbitrary JavaScript into pages via improper HTML string manipulation in the gspb_greenShift_block_script_assets() function. The vulnerability exploits a naive str_replace() operation that fails to parse HTML context, enabling attackers to break out of attribute boundaries and inject malicious event handlers like onfocus with JavaScript payloads that execute when users access affected pages. No public exploit code has been identified; however, the low attack complexity and straightforward injection vector make this a practical risk for sites with untrusted contributors.
Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. Injected payloads persist in WordPress options table via transients and execute when victim browsers render affected pages. No public exploit identified at time of analysis.
Reflected Cross-Site Scripting (XSS) in Optimole - Optimize Images in Real Time WordPress plugin versions up to 4.2.3 allows unauthenticated attackers to inject arbitrary JavaScript through malicious URL paths. The vulnerability stems from insufficient output escaping in the get_current_url() function, which are then inserted into JavaScript code via str_replace() without proper JavaScript context escaping in replace_content(). An attacker can craft a malicious link that, when clicked by a WordPress user, executes injected scripts in the context of the user's browser session with CVSS 6.1 (Medium) severity.
Reflected XSS in Chamilo LMS exercise admin panel allows authenticated teachers to be tricked into executing arbitrary JavaScript via malicious paginated URLs, affecting versions prior to 2.0.0-RC.3. An attacker can craft a weaponized link containing unencoded query parameters that bypass the pagination mechanism's improper output encoding, potentially leading to session hijacking, credential theft, or unauthorized administrative actions within the learning management system. No public exploit code or active exploitation has been identified at time of analysis.
Cross-site scripting in parisneo/lollms prior to version 2.2.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious HTML payloads injected through the unsanitized `content` field in the `AppLollmsMessage.from_dict` deserialization method. The changed scope (CVSS S:C) indicates impact beyond the vulnerable component, enabling session hijacking, account takeover, and potentially wormable attacks. Publicly available exploit code exists (reported via huntr.com bug bounty). EPSS data not provided, but the low attack complexity (AC:L) and network attack vector (AV:N) combined with high confidentiality impact (C:H) and scope change indicate significant exploitation risk for applications exposing this deserialization functionality to untrusted input.
Stored cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.6.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in ChatHeadersMiddleware, requiring user interaction to trigger. The vulnerability has a low CVSS score (3.5) due to requiring authentication and user interaction, but XSS can lead to session hijacking or credential theft. Vendor-released patch version 2.8.0 addresses this issue.
Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.2.1 allows authenticated remote attackers to inject malicious scripts via the Name argument in the StaticHeadersMiddleware component of the Public Chat Interface. The vulnerability requires user interaction (UI:R) and has low confidentiality impact but enables persistent code execution in user browsers. Publicly available exploit code exists, and vendor-released patch version 2.8.0 resolves the issue.
Reflected cross-site scripting (XSS) in Rukovoditel CRM 3.6.4's Zadarma telephony API endpoint allows remote attackers to execute arbitrary JavaScript in victim browsers without authentication. The vulnerability stems from direct reflection of the 'zd_echo' GET parameter without sanitization. With CVSS 9.3 (Critical), changed scope (S:C), and no authentication required (PR:N), this enables session hijacking and account takeover via malicious links. No public exploit identified at time of analysis, though proof-of-concept is trivial given the code-level disclosure. EPSS data not available.
Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.
Stored Cross-Site Scripting in BlockArt Blocks plugin for WordPress allows authenticated attackers with Author-level or higher permissions to inject arbitrary JavaScript into page content via the 'clientId' block attribute due to insufficient input sanitization and output escaping. An attacker can craft malicious block content that executes in the browsers of all users viewing the compromised page. The vulnerability affects all versions up to and including 2.2.15, with a fix available in version 2.3.0.
Stored cross-site scripting in GreenShift - Animation and Page Builder Blocks plugin for WordPress up to version 12.8.9 allows authenticated contributors to inject arbitrary JavaScript into pages via improper HTML string manipulation in the gspb_greenShift_block_script_assets() function. The vulnerability exploits a naive str_replace() operation that fails to parse HTML context, enabling attackers to break out of attribute boundaries and inject malicious event handlers like onfocus with JavaScript payloads that execute when users access affected pages. No public exploit code has been identified; however, the low attack complexity and straightforward injection vector make this a practical risk for sites with untrusted contributors.
Unauthenticated stored XSS in Optimole WordPress plugin (≤4.2.2) allows attackers to inject malicious scripts via the srcset descriptor parameter in the /wp-json/optimole/v1/optimizations REST endpoint. Despite HMAC signature validation, authentication tokens are exposed in frontend HTML, enabling exploitation. Injected payloads persist in WordPress options table via transients and execute when victim browsers render affected pages. No public exploit identified at time of analysis.
Reflected Cross-Site Scripting (XSS) in Optimole - Optimize Images in Real Time WordPress plugin versions up to 4.2.3 allows unauthenticated attackers to inject arbitrary JavaScript through malicious URL paths. The vulnerability stems from insufficient output escaping in the get_current_url() function, which are then inserted into JavaScript code via str_replace() without proper JavaScript context escaping in replace_content(). An attacker can craft a malicious link that, when clicked by a WordPress user, executes injected scripts in the context of the user's browser session with CVSS 6.1 (Medium) severity.
Reflected XSS in Chamilo LMS exercise admin panel allows authenticated teachers to be tricked into executing arbitrary JavaScript via malicious paginated URLs, affecting versions prior to 2.0.0-RC.3. An attacker can craft a weaponized link containing unencoded query parameters that bypass the pagination mechanism's improper output encoding, potentially leading to session hijacking, credential theft, or unauthorized administrative actions within the learning management system. No public exploit code or active exploitation has been identified at time of analysis.