Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46857 | 1 Squidex.io | 1 Squidex | 2023-12-12 | N/A | 5.4 MEDIUM |
| Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for exploitation. | |||||
| CVE-2023-49225 | 1 Ruckuswireless | 74 C110, C110 Firmware, E510 and 71 more | 2023-12-12 | N/A | 6.1 MEDIUM |
| A cross-site-scripting vulnerability exists in Ruckus Access Point products (ZoneDirector, SmartZone, and AP Solo). If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in the product. As for the affected products/models/versions, see the information provided by the vendor listed under [References] section or the list under [Product Status] section. | |||||
| CVE-2023-28017 | 1 Hcltech | 1 Connections | 2023-12-12 | N/A | 5.4 MEDIUM |
| HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user after visiting the vulnerable URL which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials and comprise a user's account then launch other attacks. | |||||
| CVE-2023-28875 | 1 Afian | 1 Filerun | 2023-12-11 | N/A | 5.4 MEDIUM |
| A Stored XSS issue in shared files download terms in Filerun Update 20220202 allows attackers to inject JavaScript code that is executed when a user follows the crafted share link. | |||||
| CVE-2023-48940 | 1 Daicuo | 1 Daicuo | 2023-12-11 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in /admin.php of DaiCuo v2.5.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2023-46693 | 1 Formalms | 1 Formalms | 2023-12-11 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in FormaLMS before 4.0.5 allows attackers to run arbitrary code via title parameters. | |||||
| CVE-2023-49444 | 1 Html-js | 1 Doracms | 2023-12-11 | N/A | 5.4 MEDIUM |
| An arbitrary file upload vulnerability in DoraCMS v2.1.8 allow attackers to execute arbitrary code via uploading a crafted HTML or image file to the user avatar. | |||||
| CVE-2023-49484 | 1 Iteachyou | 1 Dreamer Cms | 2023-12-11 | N/A | 5.4 MEDIUM |
| Dreamer CMS v4.1.3 was discovered to contain a cross-site scripting (XSS) vulnerability in the article management department. | |||||
| CVE-2023-6527 | 1 I13websolution | 1 Email Subscription Popup | 2023-12-11 | N/A | 6.1 MEDIUM |
| The Email Subscription Popup plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the HTTP_REFERER header in all versions up to, and including, 1.2.18 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2023-46974 | 1 Mayurik | 1 Courier Management System | 2023-12-09 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Best Courier Management System v.1.000 allows a remote attacker to execute arbitrary code via a crafted payload to the page parameter in the URL. | |||||
| CVE-2023-6568 | 1 Lfprojects | 1 Mlflow | 2023-12-09 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository mlflow/mlflow prior to 2.9.0. | |||||
| CVE-2023-48825 | 1 Phpjabbers | 1 Availability Booking Calendar | 2023-12-09 | N/A | 5.4 MEDIUM |
| Availability Booking Calendar 5.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code. | |||||
| CVE-2023-48828 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-12-09 | N/A | 5.4 MEDIUM |
| Time Slots Booking Calendar 4.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter. | |||||
| CVE-2023-48827 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-12-09 | N/A | 5.4 MEDIUM |
| Time Slots Booking Calendar 4.0 is vulnerable to Multiple HTML Injection issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter. | |||||
| CVE-2023-48824 | 1 Boidcms | 1 Boidcms | 2023-12-09 | N/A | 5.4 MEDIUM |
| BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the title, subtitle, footer, or keywords parameter in a page=create action. | |||||
| CVE-2023-48838 | 1 Phpjabbers | 1 Appointment Scheduler | 2023-12-09 | N/A | 5.4 MEDIUM |
| Appointment Scheduler 3.0 is vulnerable to Multiple HTML Injection issues via the SMS API Key or Default Country Code. | |||||
| CVE-2023-48172 | 1 Phpjabbers | 1 Shuttle Booking Software | 2023-12-09 | N/A | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in Shuttle Booking Software 2.0 allows a remote attacker to inject JavaScript via the name, description, title, or address parameter to index.php. | |||||
| CVE-2023-48208 | 1 Phpjabbers | 1 Availability Booking Calendar | 2023-12-09 | N/A | 6.1 MEDIUM |
| A Cross Site Scripting vulnerability in Availability Booking Calendar 5.0 allows an attacker to inject JavaScript via the name, plugin_sms_api_key, plugin_sms_country_code, uuid, title, or country name parameter to index.php. | |||||
| CVE-2023-48206 | 1 Mayurik | 1 Courier Management System | 2023-12-09 | N/A | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in GaatiTrack Courier Management System 1.0 allows a remote attacker to inject JavaScript via the page parameter to login.php or header.php. | |||||
| CVE-2023-48837 | 1 Phpjabbers | 1 Car Rental Script | 2023-12-09 | N/A | 5.4 MEDIUM |
| Car Rental Script 3.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code. | |||||
| CVE-2023-48839 | 1 Phpjabbers | 1 Appointment Scheduler | 2023-12-09 | N/A | 5.4 MEDIUM |
| Appointment Scheduler 3.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter. | |||||
| CVE-2023-48836 | 1 Phpjabbers | 1 Car Rental Script | 2023-12-09 | N/A | 5.4 MEDIUM |
| Car Rental Script 3.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter. | |||||
| CVE-2015-10092 | 1 Qtranslate Slug Project | 1 Qtranslate Slug | 2023-12-08 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Qtranslate Slug Plugin up to 1.1.16 on WordPress. It has been classified as problematic. Affected is the function add_slug_meta_box of the file includes/class-qtranslate-slug.php. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.1.17 is able to address this issue. The name of the patch is 74b3932696f9868e14563e51b7d0bb68c53bf5e4. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222324. | |||||
| CVE-2023-3085 | 1 X-wrt | 1 Luci | 2023-12-08 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in X-WRT luci up to 22.10_b202303061504. This issue affects the function run_action of the file modules/luci-base/ucode/dispatcher.uc of the component 404 Error Template Handler. The manipulation of the argument request_path leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 22.10_b202303121313 is able to address this issue. The patch is named 24d7da2416b9ab246825c33c213fe939a89b369c. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230663. | |||||
| CVE-2014-125078 | 1 Horizon Project | 1 Horizon | 2023-12-08 | N/A | 5.4 MEDIUM |
| A vulnerability was found in yanheven console and classified as problematic. Affected by this issue is some unknown functionality of the file horizon/static/horizon/js/horizon.instances.js. The manipulation leads to cross site scripting. The attack may be launched remotely. The patch is identified as 32a7b713468161282f2ea01d5e2faff980d924cd. It is recommended to apply a patch to fix this issue. VDB-218354 is the identifier assigned to this vulnerability. | |||||
| CVE-2014-125070 | 1 Console Project | 1 Console | 2023-12-08 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in yanheven console and classified as problematic. Affected by this vulnerability is the function get_zone_hosts/AvailabilityZonesTable of the file openstack_dashboard/dashboards/admin/aggregates/tables.py. The manipulation leads to cross site scripting. The attack can be launched remotely. The patch is named ba908ae88d5925f4f6783eb234cc4ea95017472b. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217651. | |||||
| CVE-2023-49293 | 1 Vitejs | 1 Vite | 2023-12-08 | N/A | 6.1 MEDIUM |
| Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via `server.transformIndexHtml`, the original request URL is passed in unmodified, and the `html` being transformed contains inline module scripts (`<script type="module">...</script>`), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to `server.transformIndexHtml`. Only apps using `appType: 'custom'` and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker. This issue has been addressed in vite@5.0.5, vite@4.5.1, and vite@4.4.12. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-49289 | 1 Michaelschwarz | 1 Ajax.net Professional | 2023-12-08 | N/A | 5.4 MEDIUM |
| Ajax.NET Professional (AjaxPro) is an AJAX framework for Microsoft ASP.NET which will create proxy JavaScript classes that are used on client-side to invoke methods on the web server. Affected versions of this package are vulnerable cross site scripting attacks. Releases before version 21.12.22.1 are affected. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2019-0221 | 1 Apache | 1 Tomcat | 2023-12-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. | |||||
| CVE-2023-24050 | 1 Connectize | 2 Ac21000 G6, Ac21000 G6 Firmware | 2023-12-08 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Connectize AC21000 G6 641.139.1.1256 allows attackers to run arbitrary code via crafted string when setting the Wi-Fi password in the admin panel. | |||||
| CVE-2023-40460 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2023-12-08 | N/A | 5.4 MEDIUM |
| The ACEManager component of ALEOS 4.16 and earlier does not validate uploaded file names and types, which could potentially allow an authenticated user to perform client-side script execution within ACEManager, altering the device functionality until the device is restarted. | |||||
| CVE-2023-40461 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2023-12-08 | N/A | 4.8 MEDIUM |
| The ACEManager component of ALEOS 4.16 and earlier allows an authenticated user with Administrator privileges to access a file upload field which does not fully validate the file name, creating a Stored Cross-Site Scripting condition. | |||||
| CVE-2023-5768 | 1 Hitachienergy | 8 Rtu520, Rtu520 Firmware, Rtu530 and 5 more | 2023-12-07 | N/A | 6.1 MEDIUM |
| A vulnerability exists in the HCI IEC 60870-5-104 that affects the RTU500 series product versions listed below. Incomplete or wrong received APDU frame layout may cause blocking on link layer. Error reason was an endless blocking when reading incoming frames on link layer with wrong length information of APDU or delayed reception of data octets. Only communication link of affected HCI IEC 60870-5-104 is blocked. If attack sequence stops the communication to the previously attacked link gets normal again. | |||||
| CVE-2023-4460 | 1 Uploading Svg\, Webp And Ico Files Project | 1 Uploading Svg\, Webp And Ico Files | 2023-12-07 | N/A | 5.4 MEDIUM |
| The Uploading SVG, WEBP and ICO files WordPress plugin through 1.2.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | |||||
| CVE-2023-5137 | 1 Shooflysolutions | 1 Simply Excerpts | 2023-12-07 | N/A | 4.8 MEDIUM |
| The Simply Excerpts WordPress plugin through 1.4 does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup). | |||||
| CVE-2023-5141 | 1 Bannersky | 1 Bsk Contact Form 7 Blacklist | 2023-12-07 | N/A | 6.1 MEDIUM |
| The BSK Contact Form 7 Blacklist WordPress plugin through 1.0.1 does not sanitise and escape the inserted_count parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-5210 | 1 Amp-cloud | 1 Amp Plus | 2023-12-07 | N/A | 6.1 MEDIUM |
| The AMP+ Plus WordPress plugin through 3.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2018-12998 | 1 Zohocorp | 5 Firewall Analyzer, Manageengine Netflow Analyzer, Manageengine Network Configuration Manager and 2 more | 2023-12-07 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. | |||||
| CVE-2023-5809 | 1 Ays-pro | 1 Popup Box | 2023-12-07 | N/A | 4.8 MEDIUM |
| The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-5874 | 1 Ays-pro | 1 Popup Box | 2023-12-07 | N/A | 4.8 MEDIUM |
| The Popup box WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-5951 | 1 Collne | 1 Welcart | 2023-12-07 | N/A | 6.1 MEDIUM |
| The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-48866 | 1 Grocy Project | 1 Grocy | 2023-12-07 | N/A | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability in the recipe preparation component within /api/objects/recipes and note component within /api/objects/shopping_lists/ of Grocy <= 4.0.3 allows attackers to obtain the victim's cookies. | |||||
| CVE-2023-5767 | 1 Hitachienergy | 8 Rtu520, Rtu520 Firmware, Rtu530 and 5 more | 2023-12-07 | N/A | 6.1 MEDIUM |
| A vulnerability exists in the webserver that affects the RTU500 series product versions listed below. A malicious actor could perform cross-site scripting on the webserver due to an RDT language file being improperly sanitized. | |||||
| CVE-2023-6466 | 1 Thecosy | 1 Icecms | 2023-12-07 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Thecosy IceCMS 2.0.1. It has been declared as problematic. This vulnerability affects unknown code of the file /planet of the component User Comment Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-246616. | |||||
| CVE-2023-33356 | 1 Thecosy | 1 Icecms | 2023-12-07 | N/A | 5.4 MEDIUM |
| IceCMS v1.0.0 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2020-29315 | 1 Thinkadmin | 1 Thinkadmin | 2023-12-07 | 4.3 MEDIUM | 5.4 MEDIUM |
| ThinkAdmin version v1 v6 has a stored XSS vulnerability which allows remote attackers to inject an arbitrary web script or HTML. | |||||
| CVE-2023-44761 | 1 Concretecms | 1 Concrete Cms | 2023-12-07 | N/A | 5.4 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects. | |||||
| CVE-2023-44765 | 1 Concretecms | 1 Concrete Cms | 2023-12-07 | N/A | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings. | |||||
| CVE-2022-4957 | 1 Librespeed | 1 Speedtest | 2023-12-07 | N/A | 6.1 MEDIUM |
| A vulnerability was found in librespeed speedtest up to 5.2.4. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file results/stats.php. The manipulation of the argument id leads to cross site scripting. The attack can be launched remotely. Upgrading to version 5.2.5 is able to address this issue. The patch is named a85f2c086f3449dffa8fe2edb5e2ef3ee72dc0e9. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-246643. | |||||
| CVE-2023-6472 | 1 Phpems | 1 Phpems | 2023-12-06 | N/A | 4.8 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in PHPEMS 7.0. This issue affects some unknown processing of the file app\content\cls\api.cls.php of the component Content Section Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-246629 was assigned to this vulnerability. | |||||