A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website to steal potentially sensitive information, change appearance of the web page, can perform phishing and drive-by-download attacks. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. Software/ in Webmin before 1.997 lacks HTML escaping for a UI command.Ī reflected XSS issue was identified in the LTI module of Moodle.
Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the post title text field under the publish blog module. The affected versions are before version 8.20.8. The Read Mail module in Webmin 1.995 and Usermin through 1.850 allows XSS via a crafted HTML e-mail message.Īffected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. An authenticated remote attacker could potentially exploit this vulnerability by tricking a victim application user to execute malicious code in the context of the web application. There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to inject HTML into some locations in the home application.Īrcher Platform 6.x before 6.11 P3 contain an HTML injection vulnerability. It allows an attacker to cause Denial of Service or possibly have unspecified other impact. It can be triggered by sending a crafted HTML file to the w3m binary. There is an out-of-bounds write in checkType located in etc.c in w3m 0.5.3.