Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-2707 | 1 Gappointments | 1 Gappointments | 2023-12-02 | N/A | 4.8 MEDIUM |
| The gAppointments WordPress plugin through 1.9.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-27914 | 1 Joomla | 1 Joomla\! | 2023-12-02 | N/A | 6.1 MEDIUM |
| An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media. | |||||
| CVE-2023-39971 | 1 Acymailing | 1 Acymailing | 2023-12-02 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation vulnerability in AcyMailing Enterprise component for Joomla allows XSS. This issue affects AcyMailing Enterprise component for Joomla: 6.7.0-8.6.3. | |||||
| CVE-2022-27913 | 1 Joomla | 1 Joomla\! | 2023-12-02 | N/A | 6.1 MEDIUM |
| An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components. | |||||
| CVE-2023-47755 | 1 Aazztech | 1 Woocommerce Product Carousel Slider | 2023-12-02 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AazzTech WooCommerce Product Carousel Slider plugin <= 3.3.5 versions. | |||||
| CVE-2023-5708 | 1 Wp Post Columns Project | 1 Wp Post Columns | 2023-12-02 | N/A | 5.4 MEDIUM |
| The WP Post Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'column' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5706 | 1 Vektor-inc | 1 Vk Blocks | 2023-12-02 | N/A | 5.4 MEDIUM |
| The VK Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vk-blocks/ancestor-page-list' block in all versions up to, and including, 1.63.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2014-125096 | 1 Fancy Gallery Project | 1 Fancy Gallery | 2023-12-01 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Fancy Gallery Plugin 1.5.12 on WordPress. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file class.options.php of the component Options Page. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.5.13 is able to address this issue. The identifier of the patch is fdf1f9e5a1ec738900f962e69c6fa4ec6055ed8d. It is recommended to upgrade the affected component. The identifier VDB-225349 was assigned to this vulnerability. | |||||
| CVE-2014-125095 | 1 Bestwebsoft | 1 Contact Form | 2023-12-01 | N/A | 6.1 MEDIUM |
| A vulnerability was found in BestWebSoft Contact Form Plugin 1.3.4 on WordPress and classified as problematic. Affected by this issue is the function bws_add_menu_render of the file bws_menu/bws_menu.php. The manipulation of the argument bwsmn_form_email leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.3.7 is able to address this issue. The name of the patch is 4d531f74b4a801c805dc80360d4ea1312e9a278f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-225320. | |||||
| CVE-2017-20155 | 1 Sterc | 1 Google Analytics Dashboard For Modx | 2023-12-01 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Sterc Google Analytics Dashboard for MODX up to 1.0.5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file core/components/analyticsdashboardwidget/elements/tpl/widget.analytics.tpl of the component Internal Search. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.0.6 is able to address this issue. The identifier of the patch is 855d9560d3782c105568eedf9b22a769fbf29cc0. It is recommended to upgrade the affected component. The identifier VDB-217069 was assigned to this vulnerability. | |||||
| CVE-2023-49145 | 1 Apache | 1 Nifi | 2023-12-01 | N/A | 5.4 MEDIUM |
| Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation. | |||||
| CVE-2023-49029 | 1 Smpn1smg | 1 Absis | 2023-12-01 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the nama parameter in the lock/lock.php file. | |||||
| CVE-2023-47437 | 1 Pachno | 1 Pachno | 2023-12-01 | N/A | 5.4 MEDIUM |
| A vulnerability has been identified in Pachno 1.0.6 allowing an authenticated attacker to execute a cross-site scripting (XSS) attack. The vulnerability exists due to inadequate input validation in the Project Description and comments, which enables an attacker to inject malicious java script. | |||||
| CVE-2023-5209 | 1 Booking-wp-plugin | 1 Bookly | 2023-12-01 | N/A | 4.8 MEDIUM |
| The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-43701 | 1 Apache | 1 Superset | 2023-12-01 | N/A | 5.4 MEDIUM |
| Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2. Users are recommended to upgrade to version 2.1.2, which fixes this issue. | |||||
| CVE-2023-6164 | 1 Mainwp | 1 Mainwp | 2023-12-01 | N/A | 4.8 MEDIUM |
| The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags. | |||||
| CVE-2023-47380 | 1 Admidio | 1 Admidio | 2023-12-01 | N/A | 6.1 MEDIUM |
| Admidio v4.2.12 and below is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2023-47314 | 1 H-mdm | 1 Headwind Mdm | 2023-11-30 | N/A | 5.4 MEDIUM |
| Headwind MDM Web panel 5.22.1 is vulnerable to cross-site scripting (XSS). The file upload function allows APK and arbitrary files to be uploaded. By exploiting this issue, attackers may upload HTML files and share the download URL pointing to these files with the victims. As the file download function returns the file in inline mode, the victim’s browser will immediately render the content of the HTML file as a web page. As a result, the uploaded client-side code will be evaluated and executed in the victim’s browser, allowing attackers to perform common XSS attacks. | |||||
| CVE-2023-6297 | 1 Phpgurukul | 1 Nipah Virus Testing Management System | 2023-11-30 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in PHPGurukul Nipah Virus Testing Management System 1.0. This affects an unknown part of the file patient-search-report.php of the component Search Report Page. The manipulation of the argument Search By Patient Name with the input <script>alert(document.cookie)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246123. | |||||
| CVE-2023-48042 | 1 Communitydeveloper | 1 Amazzing Filter | 2023-11-30 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Search filters in Prestashop Amazzing filter version up to version 3.2.5, allows remote attackers to inject arbitrary JavaScript code. | |||||
| CVE-2023-6359 | 1 Grupoalumne | 1 Alumne Lms | 2023-11-30 | N/A | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the 'localidad' parameter to inject a custom JavaScript payload and partially take over another user's browser session, due to the lack of proper sanitisation of the 'localidad' field on the /users/editmy page. | |||||
| CVE-2023-5560 | 1 Lesterchan | 1 Wp-useronline | 2023-11-30 | N/A | 6.1 MEDIUM |
| The WP-UserOnline WordPress plugin before 2.88.3 does not sanitise and escape the X-Forwarded-For header before outputting its content on the page, which allows unauthenticated users to perform Cross-Site Scripting attacks. | |||||
| CVE-2023-5325 | 1 Levantoan | 1 Woocommerce Vietnam Checkout | 2023-11-30 | N/A | 6.1 MEDIUM |
| The Woocommerce Vietnam Checkout WordPress plugin before 2.0.6 does not escape the custom shipping phone field no the checkout form leading to XSS | |||||
| CVE-2023-6303 | 1 Cskaza | 1 Cszcms | 2023-11-30 | N/A | 4.8 MEDIUM |
| A vulnerability was found in CSZCMS 1.3.0. It has been classified as problematic. This affects an unknown part of the file /admin/settings/ of the component Site Settings Page. The manipulation of the argument Additional Meta Tag with the input <svg><animate onbegin=alert(1) attributeName=x dur=1s> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-246129 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-6313 | 1 Url Shortener Project | 1 Url Shortener | 2023-11-30 | N/A | 6.1 MEDIUM |
| A vulnerability was found in SourceCodester URL Shortener 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Long URL Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246139. | |||||
| CVE-2022-25189 | 1 Jenkins | 1 Custom Checkbox Parameter | 2023-11-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Custom Checkbox Parameter Plugin 1.1 and earlier does not escape parameter names of custom checkbox parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2023-25837 | 1 Esri | 1 Portal For Arcgis | 2023-11-30 | N/A | 4.8 MEDIUM |
| There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser. The privileges required to execute this attack are high. | |||||
| CVE-2023-25835 | 1 Esri | 1 Portal For Arcgis | 2023-11-30 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in the site configuration which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. | |||||
| CVE-2023-38883 | 1 Os4ed | 1 Opensis | 2023-11-30 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'ajax' parameter in 'ParentLookup.php'. | |||||
| CVE-2023-38882 | 1 Os4ed | 1 Opensis | 2023-11-30 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'include' parameter in 'ForExport.php' | |||||
| CVE-2023-38881 | 1 Os4ed | 1 Opensis | 2023-11-30 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into any of the 'calendar_id', 'school_date', 'month' or 'year' parameters in 'CalendarModal.php'. | |||||
| CVE-2020-35438 | 1 Kamalkhan | 1 Kk Star Ratings | 2023-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the kk Star Ratings plugin before 4.1.5. | |||||
| CVE-2022-46843 | 1 Levantoan | 1 Woocommerce Vietnam Checkout | 2023-11-30 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Le Van Toan Woocommerce Vietnam Checkout plugin <= 2.0.4 versions. | |||||
| CVE-2023-5942 | 1 Drelton | 1 Medialist | 2023-11-30 | N/A | 5.4 MEDIUM |
| The Medialist WordPress plugin before 1.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-6300 | 1 Mayurik | 1 Best Courier Management System | 2023-11-30 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Best Courier Management System 1.0. Affected is an unknown function. The manipulation of the argument page with the input </TiTlE><ScRiPt>alert(1)</ScRiPt> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-246126 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-6301 | 1 Mayurik | 1 Best Courier Management System | 2023-11-30 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in SourceCodester Best Courier Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file parcel_list.php of the component GET Parameter Handler. The manipulation of the argument id with the input </TiTlE><ScRiPt>alert(1)</ScRiPt> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246127. | |||||
| CVE-2023-4514 | 1 Mediamanifesto | 1 Mmm Simple File List | 2023-11-30 | N/A | 5.4 MEDIUM |
| The Mmm Simple File List WordPress plugin through 2.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-49215 | 1 Usedesk | 1 Usedesk | 2023-11-30 | N/A | 6.1 MEDIUM |
| Usedesk before 1.7.57 allows filter reflected XSS. | |||||
| CVE-2023-49216 | 1 Usedesk | 1 Usedesk | 2023-11-30 | N/A | 5.4 MEDIUM |
| Usedesk before 1.7.57 allows profile stored XSS. | |||||
| CVE-2023-47773 | 1 Yasglobal | 1 Permalinks Customizer | 2023-11-30 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YAS Global Team Permalinks Customizer plugin <= 2.8.2 versions. | |||||
| CVE-2023-47786 | 1 Layerslider | 1 Layerslider | 2023-11-30 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LayerSlider plugin <= 7.7.9 versions. | |||||
| CVE-2023-4406 | 1 Kc Group E-commerce Software Project | 1 Kc Group E-commerce Software | 2023-11-29 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KC Group E-Commerce Software allows Reflected XSS.This issue affects E-Commerce Software: through 20231123. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4594 | 2 Microsoft, Seattlelab | 2 Windows, Slmail | 2023-11-29 | N/A | 5.4 MEDIUM |
| Stored XSS vulnerability. This vulnerability could allow an attacker to store a malicious JavaScript payload via GET and POST methods on multiple parameters in the MailAdmin_dll.htm file. | |||||
| CVE-2023-41789 | 1 Artica | 1 Pandora Fms | 2023-11-29 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allows an attacker to perform cookie hijacking and log in as that user without the need for credentials. This issue affects Pandora FMS: from 700 through 773. | |||||
| CVE-2023-41791 | 1 Artica | 1 Pandora Fms | 2023-11-29 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed users with low privileges to introduce Javascript executables via a translation string that could affect the integrity of some configuration files. This issue affects Pandora FMS: from 700 through 773. | |||||
| CVE-2023-41810 | 1 Artica | 1 Pandora Fms | 2023-11-29 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in some Widgets' text box. This issue affects Pandora FMS: from 700 through 773. | |||||
| CVE-2023-41811 | 1 Artica | 1 Pandora Fms | 2023-11-29 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the news section of the web console. This issue affects Pandora FMS: from 700 through 773. | |||||
| CVE-2023-5715 | 1 Plerdy | 1 Heatmap | 2023-11-29 | N/A | 4.8 MEDIUM |
| The Website Optimization – Plerdy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tracking code settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2023-48124 | 1 Nayemhowlader | 1 Sup Online Shopping | 2023-11-29 | N/A | 5.4 MEDIUM |
| Cross Site Scripting in SUP Online Shopping v.1.0 allows a remote attacker to execute arbitrary code via the Name, Email and Address parameters in the Register New Account component. | |||||
| CVE-2023-5598 | 1 Dassault | 2 3dswymer 3dexperience 2022, 3dswymer 3dexperience 2023 | 2023-11-29 | N/A | 5.4 MEDIUM |
| Stored Cross-site Scripting (XSS) vulnerabilities affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2023x allow an attacker to execute arbitrary script code. | |||||