U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): Java
  • Search Type: Search All
There are 7,933 matching records.
Displaying matches 321 through 340.
Vuln ID Summary CVSS Severity
CVE-2024-30264

Typebot is an open-source chatbot builder. A reflected cross-site scripting (XSS) in the sign-in page of typebot.io prior to version 2.24.0 may allow an attacker to hijack a user's account. The sign-in page takes the `redirectPath` parameter from the URL. If a user clicks on a link where the `redirectPath` parameter has a javascript scheme, the attacker that crafted the link may be able to execute arbitrary JavaScript with the privileges of the user. Version 2.24.0 contains a patch for this issue.

Published: April 04, 2024; 5:15:16 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-25708

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder versions 10.8.1 – 10.9.1 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. 

Published: April 04, 2024; 2:15:13 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-25698

There is a reflected cross site scripting vulnerability in the home application in Esri Portal for ArcGIS 11.1 and below on Windows and Linux that allows a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser.

Published: April 04, 2024; 2:15:11 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-20800

Adobe Experience Manager versions 6.5.19 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable web pages. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable script. This could result in arbitrary code execution within the context of the victim's browser.

Published: April 04, 2024; 5:15:07 AM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2023-25199

A reflected cross-site scripting (XSS) vulnerability exists in the MT Safeline X-Ray X3310 webserver version NXG 19.05 that enables a remote attacker to execute JavaScript code and obtain sensitive information in a victim's browser.

Published: April 04, 2024; 3:15:07 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-2753

Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5.16 is vulnerable to Stored XSS on the calendar color settings screen since Information input by the user is output without escaping. A rogue administrator could inject malicious javascript into the Calendar Color Settings screen which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.0 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N&version=3.1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator   Thank you Rikuto Tauchi for reporting

Published: April 03, 2024; 3:15:43 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-44040

In VeridiumID before 3.5.0, the identity provider page is susceptible to a cross-site scripting (XSS) vulnerability that can be exploited by an internal unauthenticated attacker for JavaScript execution in the context of the user trying to authenticate.

Published: April 03, 2024; 1:15:47 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-31393

Dragging Javascript URLs to the address bar could cause them to be loaded, bypassing restrictions and security protections This vulnerability affects Firefox for iOS < 124.

Published: April 03, 2024; 12:15:07 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-20799

Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Published: April 02, 2024; 4:15:59 AM -0400
V4.0:(not available)
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2024-31033

JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the "ignores" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.

Published: March 31, 2024; 10:15:07 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-29890

DataLens is a business intelligence and data visualization system. A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that chart. The problem was fixed in the datalens-ui version `0.1449.0`. Restricting access to the API for creating or modifying charts (`/charts/api/charts/v1/`) would mitigate the issue.

Published: March 29, 2024; 11:15:12 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-23727

The YI Smart Kami Vision com.kamivision.yismart application through 1.0.0_20231219 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yicamera.activity.WebViewActivity component.

Published: March 28, 2024; 5:16:01 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-29882

SRS is a simple, high-efficiency, real-time video server. SRS's `/api/v1/vhosts/vid-<id>?callback=<payload>` endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS ( Cross-Site Scripting). This vulnerability is fixed in 5.0.210 and 6.0.121.

Published: March 28, 2024; 10:15:14 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-28784

IBM QRadar SIEM 7.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 285893.

Published: March 27, 2024; 9:15:47 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-27270

IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in a specially crafted URI. IBM X-Force ID: 284576.

Published: March 27, 2024; 9:15:47 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2023-50961

IBM QRadar SIEM 7.5 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 275939.

Published: March 27, 2024; 9:15:46 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-28335

Lektor before 3.3.11 does not sanitize DB path traversal. Thus, shell commands might be executed via a file that is added to the templates directory, if the victim's web browser accesses an untrusted website that uses JavaScript to send requests to localhost port 5000, and the web browser is running on the same machine as the "lektor server" command.

Published: March 27, 2024; 2:15:19 AM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-29832

The current_url parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the current_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. No authentication is required to exploit this issue. Note that other parameters within a AJAX call, such as image_id, must be valid for this vulnerability to be successfully exploited.

Published: March 26, 2024; 12:15:12 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-29810

The thumb_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumb_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue.

Published: March 26, 2024; 12:15:12 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-29809

The image_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue.

Published: March 26, 2024; 12:15:12 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)