Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-4382 | 1 Tdevs | 1 Hyip Rio | 2023-08-22 | N/A | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in tdevs Hyip Rio 2.1. Affected by this issue is some unknown functionality of the file /user/settings of the component Profile Settings. The manipulation of the argument avatar leads to cross site scripting. The attack may be launched remotely. VDB-237314 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4321 | 1 Agentejo | 1 Cockpit | 2023-08-22 | N/A | 6.1 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3. | |||||
| CVE-2023-29455 | 1 Zabbix | 1 Frontend | 2023-08-22 | N/A | 6.1 MEDIUM |
| Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. | |||||
| CVE-2023-29457 | 1 Zabbix | 1 Frontend | 2023-08-22 | N/A | 6.1 MEDIUM |
| Reflected XSS attacks, occur when a malicious script is reflected off a web application to the victim's browser. The script can be activated through Action form fields, which can be sent as request to a website with a vulnerability that enables execution of malicious scripts. | |||||
| CVE-2022-35229 | 1 Zabbix | 1 Zabbix | 2023-08-22 | 3.5 LOW | 5.4 MEDIUM |
| An authenticated user can create a link with reflected Javascript code inside it for the discovery page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. | |||||
| CVE-2023-29456 | 1 Zabbix | 1 Frontend | 2023-08-22 | N/A | 5.4 MEDIUM |
| URL validation scheme receives input from a user and then parses it to identify its various components. The validation scheme can ensure that all URL components comply with internet standards. | |||||
| CVE-2023-29454 | 1 Zabbix | 1 Frontend | 2023-08-22 | N/A | 5.4 MEDIUM |
| Stored or persistent cross-site scripting (XSS) is a type of XSS where the attacker first sends the payload to the web application, then the application saves the payload (e.g., in a database or server-side text files), and finally, the application unintentionally executes the payload for every victim visiting its web pages. | |||||
| CVE-2023-38904 | 1 Decapcms | 1 Netlify Cms | 2023-08-22 | N/A | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in Netlify CMS v.2.10.192 allows a remote attacker to execute arbitrary code via a crafted payload to the body parameter of the new post function. | |||||
| CVE-2023-26140 | 1 Excalidraw | 1 Excalidraw | 2023-08-22 | N/A | 6.1 MEDIUM |
| Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization. | |||||
| CVE-2023-0058 | 1 Tiempo | 1 Tiempo | 2023-08-22 | N/A | 6.1 MEDIUM |
| The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
| CVE-2023-30786 | 1 Fuzzguard | 1 Captcha Them All | 2023-08-22 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Benjamin Guy Captcha Them All plugin <= 1.3.3 versions. | |||||
| CVE-2023-30871 | 1 Webdados | 1 Stock Exporter For Woocommerce | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in PT Woo Plugins (by Webdados) Stock Exporter for WooCommerce plugin <= 1.1.0 versions. | |||||
| CVE-2023-30779 | 1 Daggerheart | 1 Query Wrangler | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Jonathan Daggerhart Query Wrangler plugin <= 1.5.51 versions. | |||||
| CVE-2022-4782 | 1 Clickfunnels | 1 Clickfunnels | 2023-08-22 | N/A | 5.4 MEDIUM |
| The ClickFunnels WordPress plugin through 3.1.1 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack. | |||||
| CVE-2023-2122 | 1 10web | 1 Image Optimizer | 2023-08-22 | N/A | 6.1 MEDIUM |
| The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitise and escape the iowd_tabs_active parameter before rendering it in the plugin admin panel, leading to a reflected Cross-Site Scripting vulnerability, allowing an attacker to trick a logged in admin to execute arbitrary javascript by clicking a link. | |||||
| CVE-2023-2225 | 1 Pottie | 1 Seo Alert | 2023-08-22 | N/A | 4.8 MEDIUM |
| The SEO ALert WordPress plugin through 1.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-2254 | 1 Ko-fi | 1 Ko-fi Button | 2023-08-22 | N/A | 4.8 MEDIUM |
| The Ko-fi Button WordPress plugin before 1.3.3 does not properly some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup), and we consider it a low risk. | |||||
| CVE-2023-2123 | 1 Wpinventory | 1 Wp Inventory Manager | 2023-08-22 | N/A | 6.1 MEDIUM |
| The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. | |||||
| CVE-2023-2272 | 1 Tiempo | 1 Tiempo | 2023-08-22 | N/A | 6.1 MEDIUM |
| The Tiempo.com WordPress plugin through 0.1.2 does not sanitise and escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-38687 | 1 Mskocik | 1 Svelecte | 2023-08-22 | N/A | 5.4 MEDIUM |
| Svelecte is a flexible autocomplete/select component written in Svelte. Svelecte item names are rendered as raw HTML with no escaping. This allows the injection of arbitrary HTML into the Svelecte dropdown. This can be exploited to execute arbitrary JavaScript whenever a Svelecte dropdown is opened. Item names given to Svelecte appear to be directly rendered as HTML by the default item renderer. This means that any HTML tags in the name are rendered as HTML elements not as text. Note that the custom item renderer shown in https://mskocik.github.io/svelecte/#item-rendering is also vulnerable to the same exploit. Any site that uses Svelecte with dynamically created items either from an external source or from user-created content could be vulnerable to an XSS attack (execution of untrusted JavaScript), clickjacking or any other attack that can be performed with arbitrary HTML injection. The actual impact of this vulnerability for a specific application depends on how trustworthy the sources that provide Svelecte items are and the steps that the application has taken to mitigate XSS attacks. XSS attacks using this vulnerability are mostly mitigated by a Content Security Policy that blocks inline JavaScript. This issue has been addressed in version 3.16.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-30473 | 1 Icopydoc | 1 Yml For Yandex Market | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Maxim Glazunov YML for Yandex Market plugin <= 3.10.7 versions. | |||||
| CVE-2023-30782 | 1 Churchadminplugin | 1 Church Admin | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moyle Church Admin plugin <= 3.7.5 versions. | |||||
| CVE-2023-30785 | 1 I13websolution | 1 Video Grid | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirteen Web Solution Video Grid plugin <= 1.21 versions. | |||||
| CVE-2023-30784 | 1 Kayastudio | 1 Kaya Qr Code Generator | 2023-08-22 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Kaya Studio Kaya QR Code Generator plugin <= 1.5.2 versions. | |||||
| CVE-2023-1110 | 1 Yellowyard | 1 Yellow Yard Searchbar | 2023-08-22 | N/A | 5.4 MEDIUM |
| The Yellow Yard Searchbar WordPress plugin before 2.8.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-0274 | 1 Asandia | 1 Url Params | 2023-08-22 | N/A | 5.4 MEDIUM |
| The URL Params WordPress plugin before 2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-1465 | 1 Wpeasypay | 1 Wp Easypay | 2023-08-22 | N/A | 6.1 MEDIUM |
| The WP EasyPay WordPress plugin before 4.1 does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin | |||||
| CVE-2023-30778 | 1 Blubrry | 1 Powerpress | 2023-08-22 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Blubrry PowerPress Podcasting plugin by Blubrry plugin <= 10.0.1 versions. | |||||
| CVE-2023-30747 | 1 Wpgem | 1 Woocommerce Easy Duplicate Product | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPGem WooCommerce Easy Duplicate Product plugin <= 0.3.0.0 versions. | |||||
| CVE-2023-30498 | 1 Codeflavors | 1 Vimeotheque | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodeFlavors Vimeotheque: Vimeo WordPress Plugin <= 2.2.1 versions. | |||||
| CVE-2023-4347 | 1 Librenms | 1 Librenms | 2023-08-22 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Reflected in GitHub repository librenms/librenms prior to 23.8.0. | |||||
| CVE-2023-23208 | 3 Genesys, Linux, Microsoft | 3 Administrator Extension, Linux Kernel, Windows | 2023-08-22 | N/A | 6.1 MEDIUM |
| Genesys Administrator Extension (GAX) before 9.0.105.15 is vulnerable to Cross Site Scripting (XSS) via the Business Structure page of the iWD plugin, aka GAX-11261. | |||||
| CVE-2023-4422 | 1 Agentejo | 1 Cockpit | 2023-08-22 | N/A | 4.8 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. | |||||
| CVE-2023-38910 | 1 Cszcms | 1 Csz Cms | 2023-08-22 | N/A | 6.1 MEDIUM |
| CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin. | |||||
| CVE-2023-38911 | 1 Cszcms | 1 Csz Cms | 2023-08-22 | N/A | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability in CSZ CMS 1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Gallery parameter in the YouTube URL fields. | |||||
| CVE-2023-31079 | 1 Thechrisroberts | 1 Tippy | 2023-08-22 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Chris Roberts Tippy plugin <= 6.2.1 versions. | |||||
| CVE-2023-28783 | 1 Phpradar | 1 Woocommerce Tip\/donation | 2023-08-22 | N/A | 5.4 MEDIUM |
| Auth. (shop manager+) Stored Cross-Site Scripting (XSS) vulnerability in PHPRADAR Woocommerce Tip/Donation plugin <= 1.2 versions. | |||||
| CVE-2023-28693 | 1 Balasahebbhise | 1 Advanced Youtube Channel Pagination | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Balasaheb Bhise Advanced Youtube Channel Pagination plugin <= 1.0 version. | |||||
| CVE-2023-31074 | 1 Hupe13 | 1 Extensions For Leaflet Map | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in hupe13 Extensions for Leaflet Map plugin <= 3.4.1 versions. | |||||
| CVE-2023-30877 | 1 Icopydoc | 1 Xml For Google Merchant Center | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Maxim Glazunov XML for Google Merchant Center plugin <= 3.0.1 versions. | |||||
| CVE-2023-31076 | 1 Really-simple-plugins | 1 Recipe Maker For Your Food Blog From Zip Recipes | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Really Simple Plugins Recipe Maker For Your Food Blog from Zip Recipes plugin <= 8.0.6 versions. | |||||
| CVE-2023-31091 | 1 Pradeepsinghweb | 1 Dynamically Register Sidebars | 2023-08-22 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Pradeep Singh Dynamically Register Sidebars plugin <= 1.0.1 versions. | |||||
| CVE-2023-31071 | 1 Ylefebvre | 1 Modal Dialog | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Yannick Lefebvre Modal Dialog plugin <= 3.5.14 versions. | |||||
| CVE-2023-26530 | 1 Updraftplus | 1 Updraft | 2023-08-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Paul Kehrer Updraft plugin <= 0.6.1 versions. | |||||
| CVE-2023-4395 | 1 Agentejo | 1 Cockpit | 2023-08-22 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4. | |||||
| CVE-2023-30874 | 1 Stpetedesign | 1 Gps Plotter | 2023-08-22 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Steve Curtis, St. Pete Design Gps Plotter plugin <= 5.1.4 versions. | |||||
| CVE-2023-28622 | 1 Tridenttechnolabs | 1 Easy Slider Revolution | 2023-08-22 | N/A | 5.4 MEDIUM |
| Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerability in Trident Technolabs Easy Slider Revolution plugin <= 1.0.0 versions. | |||||
| CVE-2023-28533 | 1 Nimbus | 1 Cab Grid | 2023-08-22 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in M Williams Cab Grid plugin <= 1.5.15 versions. | |||||
| CVE-2023-30876 | 1 Davidmichaelross | 1 Dave\'s Wordpress Live Search | 2023-08-22 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Dave Ross Dave's WordPress Live Search plugin <= 4.8.1 versions. | |||||
| CVE-2023-40024 | 1 Nexb | 1 Scancode.io | 2023-08-21 | N/A | 6.1 MEDIUM |
| ScanCode.io is a server to script and automate software composition analysis pipelines. In the `/license/` endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. Attackers can exploit this vulnerability to inject malicious scripts into the response generated by the `license_details_view` function. When unsuspecting users visit the page, their browsers will execute the injected scripts, leading to unauthorized actions, session hijacking, or stealing sensitive information. This issue has been addressed in release `32.5.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||