Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-21628 | 1 Prestashop | 1 Prestashop | 2024-01-08 | N/A | 6.1 MEDIUM |
| PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue. | |||||
| CVE-2024-21732 | 1 Flycms Project | 1 Flycms | 2024-01-08 | N/A | 6.1 MEDIUM |
| FlyCms through abbaa5a allows XSS via the permission management feature. | |||||
| CVE-2024-0181 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-01-08 | N/A | 4.8 MEDIUM |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/admin_user.php of the component Admin Panel. The manipulation of the argument Firstname/Lastname/Username leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249433 was assigned to this vulnerability. | |||||
| CVE-2024-0184 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-01-08 | N/A | 4.8 MEDIUM |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/edit_teacher.php of the component Add Enginer. The manipulation of the argument Firstname/Lastname leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249442 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0282 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Kashipara Food Management System up to 1.0. It has been classified as problematic. This affects an unknown part of the file addmaterialsubmit.php. The manipulation of the argument tin leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249837 was assigned to this vulnerability. | |||||
| CVE-2024-0283 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Kashipara Food Management System up to 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file party_details.php. The manipulation of the argument party_name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249838 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0284 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Kashipara Food Management System up to 1.0. It has been rated as problematic. This issue affects some unknown processing of the file party_submit.php. The manipulation of the argument party_address leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249839. | |||||
| CVE-2023-6000 | 1 Sygnoos | 1 Popup Builder | 2024-01-08 | N/A | 6.1 MEDIUM |
| The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. | |||||
| CVE-2023-6037 | 1 Ljapps | 1 Wp Tripadvisor Review Slider | 2024-01-08 | N/A | 4.8 MEDIUM |
| The WP TripAdvisor Review Slider WordPress plugin before 11.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-50550 | 1 Layui | 1 Layui | 2024-01-08 | N/A | 5.4 MEDIUM |
| layui up to v2.74 was discovered to contain a cross-site scripting (XSS) vulnerability via the data-content parameter. | |||||
| CVE-2023-52240 | 1 Kantega-sso | 1 Kantega Saml Sso Oidc Kerberos Single Sign-on | 2024-01-08 | N/A | 6.1 MEDIUM |
| The Kantega SAML SSO OIDC Kerberos Single Sign-on apps before 6.20.0 for Atlassian products allow XSS if SAML POST Binding is enabled. This affects 4.4.2 through 4.14.8 before 4.14.9, 5.0.0 through 5.11.4 before 5.11.5, and 6.0.0 through 6.19.0 before 6.20.0. The full product names are Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Data Center & Server (Kantega SSO Enterprise), and Kantega SAML SSO OIDC Kerberos Single Sign-on for FeCru Server (Kantega SSO Enterprise). (Here, FeCru refers to the Atlassian Fisheye and Crucible products running together.) | |||||
| CVE-2023-6710 | 2 Modcluster, Redhat | 2 Mod Proxy Cluster, Enterprise Linux | 2024-01-08 | N/A | 5.4 MEDIUM |
| A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page. | |||||
| CVE-2024-0190 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-01-08 | N/A | 5.4 MEDIUM |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0 and classified as problematic. This issue affects some unknown processing of the file add_quiz.php of the component Quiz Handler. The manipulation of the argument Quiz Title/Quiz Description with the input </title><scRipt>alert(x)</scRipt> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249503. | |||||
| CVE-2024-0189 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-01-08 | N/A | 5.4 MEDIUM |
| A vulnerability has been found in RRJ Nueva Ecija Engineer Online Portal 1.0 and classified as problematic. This vulnerability affects unknown code of the file teacher_message.php of the component Create Message Handler. The manipulation of the argument Content with the input </title><scRipt>alert(x)</scRipt> leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249502 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-7173 | 1 Phpgurukul | 1 Hospital Management System | 2024-01-08 | N/A | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in PHPGurukul Hospital Management System 1.0. This affects an unknown part of the file registration.php. The manipulation of the argument First Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249357 was assigned to this vulnerability. | |||||
| CVE-2023-31302 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-01-08 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) 6.3.8.6 (#718), allows remote attackers to execute arbitrary code via the Teller field. | |||||
| CVE-2023-31299 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-01-08 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to execute arbitrary code via the Barcode field of a container. | |||||
| CVE-2023-5758 | 1 Mozilla | 1 Firefox | 2024-01-07 | N/A | 6.1 MEDIUM |
| When opening a page in reader mode, the redirect URL could have caused attacker-controlled script to execute in a reflected Cross-Site Scripting (XSS) attack. This vulnerability affects Firefox for iOS < 119. | |||||
| CVE-2023-50069 | 1 Wiremock | 1 Wiremock | 2024-01-05 | N/A | 6.1 MEDIUM |
| WireMock with GUI versions 3.2.0.0 through 3.0.4.0 are vulnerable to stored cross-site scripting (SXSS) through the recording feature. An attacker can host a malicious payload and perform a test mapping pointing to the attacker's file, and the result will render on the Matched page in the Body area, resulting in the execution of the payload. This occurs because the response body is not validated or sanitized. | |||||
| CVE-2023-52269 | 1 Mdaemon | 1 Securitygateway | 2024-01-05 | N/A | 4.8 MEDIUM |
| MDaemon SecurityGateway through 9.0.3 allows XSS via a crafted Message Content Filtering rule. This might allow domain administrators to conduct attacks against global administrators. | |||||
| CVE-2023-52264 | 1 Thirtybees | 1 Bees Blog | 2024-01-05 | N/A | 6.1 MEDIUM |
| The beesblog (aka Bees Blog) component before 1.6.2 for thirty bees allows Reflected XSS because controllers/front/post.php sharing_url is mishandled. | |||||
| CVE-2023-50892 | 1 Codex-themes | 1 Thegem | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme allows Reflected XSS.This issue affects TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme: from n/a through 5.9.1. | |||||
| CVE-2023-7171 | 1 Xxyopen | 1 Novel-plus | 2024-01-05 | N/A | 4.8 MEDIUM |
| A vulnerability was found in Novel-Plus up to 4.2.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file novel-admin/src/main/java/com/java2nb/novel/controller/FriendLinkController.java of the component Friendly Link Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named d6093d8182362422370d7eaf6c53afde9ee45215. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-249307. | |||||
| CVE-2023-50891 | 1 Zohocorp | 1 Zoho Forms | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress – Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress – Zoho Forms: from n/a through 3.0.1. | |||||
| CVE-2023-50893 | 1 Upsolution | 1 Impreza | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution Impreza – WordPress Website and WooCommerce Builder allows Reflected XSS.This issue affects Impreza – WordPress Website and WooCommerce Builder: from n/a through 8.17.4. | |||||
| CVE-2023-52257 | 1 Logobee | 1 Logobee | 2024-01-05 | N/A | 6.1 MEDIUM |
| LogoBee 0.2 allows updates.php?id= XSS. | |||||
| CVE-2023-50889 | 1 Fastlinemedia | 1 Beaver Builder | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Beaver Builder Team Beaver Builder – WordPress Page Builder allows Stored XSS.This issue affects Beaver Builder – WordPress Page Builder: from n/a through 2.7.2. | |||||
| CVE-2023-50881 | 1 Vasyltech | 1 Advanced Access Manager | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AAM Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More allows Stored XSS.This issue affects Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More: from n/a through 6.9.15. | |||||
| CVE-2023-50880 | 1 Buddypress | 1 Buddypress | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The BuddyPress Community BuddyPress allows Stored XSS.This issue affects BuddyPress: from n/a through 11.3.1. | |||||
| CVE-2023-50879 | 1 Automattic | 1 Wordpress.com Editing Toolkit | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WordPress.Com Editing Toolkit allows Stored XSS.This issue affects WordPress.Com Editing Toolkit: from n/a through 3.78784. | |||||
| CVE-2023-50901 | 1 Hasthemes | 1 Ht Mega - Absolute Addons For Elementor Page Builder | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes HT Mega – Absolute Addons For Elementor allows Reflected XSS.This issue affects HT Mega – Absolute Addons For Elementor: from n/a through 2.3.8. | |||||
| CVE-2023-50896 | 1 Weformspro | 1 Weforms | 2024-01-05 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weForms weForms – Easy Drag & Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms – Easy Drag & Drop Contact Form Builder For WordPress: from n/a through 1.6.17. | |||||
| CVE-2021-38927 | 3 Ibm, Linux, Microsoft | 3 Aspera Console, Linux Kernel, Windows | 2024-01-05 | N/A | 6.1 MEDIUM |
| IBM Aspera Console 3.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 210322. | |||||
| CVE-2023-50470 | 1 Seacms | 1 Seacms | 2024-01-05 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component admin_ Video.php of SeaCMS v12.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2023-7166 | 1 Xxyopen | 1 Novel-plus | 2024-01-05 | N/A | 5.4 MEDIUM |
| A vulnerability classified as problematic has been found in Novel-Plus up to 4.2.0. This affects an unknown part of the file /user/updateUserInfo of the component HTTP POST Request Handler. The manipulation of the argument nickName leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is c62da9bb3a9b3603014d0edb436146512631100d. It is recommended to apply a patch to fix this issue. The identifier VDB-249201 was assigned to this vulnerability. | |||||
| CVE-2014-125109 | 1 Bestwebsoft | 1 Portfolio | 2024-01-05 | N/A | 6.1 MEDIUM |
| A vulnerability was found in BestWebSoft Portfolio Plugin up to 2.27. It has been declared as problematic. This vulnerability affects the function bws_add_menu_render of the file bws_menu/bws_menu.php. The manipulation of the argument bwsmn_form_email leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 2.28 is able to address this issue. The name of the patch is d2ede580474665af56ff262a05783fbabe4529b8. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-248956. | |||||
| CVE-2015-10127 | 1 Bestwebsoft | 1 Pluscaptcha | 2024-01-05 | N/A | 6.1 MEDIUM |
| A vulnerability was found in PlusCaptcha Plugin up to 2.0.6 on WordPress and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 2.0.14 is able to address this issue. The patch is identified as 1274afc635170daafd38306487b6bb8a01f78ecd. It is recommended to upgrade the affected component. VDB-248954 is the identifier assigned to this vulnerability. | |||||
| CVE-2021-24830 | 1 Vasyltech | 1 Advanced Access Manager | 2024-01-05 | 3.5 LOW | 4.8 MEDIUM |
| The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2023-7160 | 1 Janobe | 1 Engineers Online Portal | 2024-01-05 | N/A | 6.1 MEDIUM |
| A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Add Engineer Handler. The manipulation of the argument first name/last name with the input <script>alert(0)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249182 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-50924 | 1 Engelsystem | 1 Engelsystem | 2024-01-05 | N/A | 5.4 MEDIUM |
| Englesystem is a shift planning system for chaos events. Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user's context. This vulnerability enables an authenticated user to inject Javascript into other user's sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages. This issue has been fixed in version 3.4.1. | |||||
| CVE-2021-3672 | 6 C-ares Project, Fedoraproject, Nodejs and 3 more | 17 C-ares, Fedora, Node.js and 14 more | 2024-01-05 | 6.8 MEDIUM | 5.6 MEDIUM |
| A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. | |||||
| CVE-2023-7113 | 1 Mattermost | 1 Mattermost Server | 2024-01-05 | N/A | 6.1 MEDIUM |
| Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client. | |||||
| CVE-2023-51399 | 1 Wpfactory | 1 Back Button Widget | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Back Button Widget allows Stored XSS.This issue affects Back Button Widget: from n/a through 1.6.3. | |||||
| CVE-2023-51541 | 1 Urosevic | 1 Stock Ticker | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Uroševi? Stock Ticker allows Stored XSS.This issue affects Stock Ticker: from n/a through 3.23.4. | |||||
| CVE-2023-51397 | 1 Brainstormforce | 1 Wp Remote Site Search | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force WP Remote Site Search allows Stored XSS.This issue affects WP Remote Site Search: from n/a through 1.0.4. | |||||
| CVE-2023-51372 | 1 Hasthemes | 1 Hashbar | 2024-01-05 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes HashBar – WordPress Notification Bar allows Stored XSS.This issue affects HashBar – WordPress Notification Bar: from n/a through 1.4.1. | |||||
| CVE-2023-51374 | 1 Zerobounce | 1 Zerobounce Email Verification \& Validation | 2024-01-05 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZeroBounce ZeroBounce Email Verification & Validation allows Stored XSS.This issue affects ZeroBounce Email Verification & Validation: from n/a through 1.0.11. | |||||
| CVE-2023-51373 | 1 Nakunakifi | 1 Google Photos Gallery With Shortcodes | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ian Kennerley Google Photos Gallery with Shortcodes allows Reflected XSS.This issue affects Google Photos Gallery with Shortcodes: from n/a through 4.0.2. | |||||
| CVE-2023-51396 | 1 Brizy | 1 Brizy-page Builder | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brizy.Io Brizy – Page Builder allows Stored XSS.This issue affects Brizy – Page Builder: from n/a through 2.4.29. | |||||
| CVE-2023-51361 | 1 Gingerplugins | 1 Sticky Chat Widget | 2024-01-05 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ginger Plugins Sticky Chat Widget: Click to chat, SMS, Email, Messages, Call Button, Live Chat and Live Support Button allows Stored XSS.This issue affects Sticky Chat Widget: Click to chat, SMS, Email, Messages, Call Button, Live Chat and Live Support Button: from n/a through 1.1.8. | |||||