Debian : Security Vulnerabilities, CVEs, (XSS) CVSS score >= 9
Mediawiki v1.40.0 does not validate namespaces used in XML files.
Therefore, if the instance administrator allows XML file uploads,
a remote attacker with a low-privileged user account can use this
exploit to become an administrator by sending a malicious link to
the instance administrator.
Max CVSS
9.0
EPSS Score
0.13%
Published
2023-09-25
Updated
2024-02-01
LedgerSMB does not sufficiently HTML-encode error messages sent to the browser. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.
Max CVSS
9.6
EPSS Score
2.48%
Published
2021-08-23
Updated
2021-08-27
LedgerSMB does not check the origin of HTML fragments merged into the browser's DOM. By sending a specially crafted URL to an authenticated user, this flaw can be abused for remote code execution and information disclosure.
Max CVSS
9.6
EPSS Score
2.26%
Published
2021-08-23
Updated
2021-08-27
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.
Max CVSS
9.3
EPSS Score
0.31%
Published
2019-12-12
Updated
2023-02-01
4 vulnerabilities found