Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-33257 | 1 Verint | 1 Engagement Management | 2023-08-04 | N/A | 5.4 MEDIUM |
| Verint Engagement Management 15.3 Update 2023R2 is vulnerable to HTML injection via the user data form in the live chat. | |||||
| CVE-2023-4067 | 1 Mage-people | 1 Bus Ticket Booking With Seat Reservation | 2023-08-04 | N/A | 6.1 MEDIUM |
| The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab_date' and 'tab_date_r' parameters in versions up to, and including, 5.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2023-3500 | 1 Gitlab | 1 Gitlab | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims. | |||||
| CVE-2023-2164 | 1 Gitlab | 1 Gitlab | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to trigger a stored XSS vulnerability via user interaction with a crafted URL in the WebIDE beta. | |||||
| CVE-2023-38057 | 1 Otrs | 1 Survey | 2023-08-04 | N/A | 5.4 MEDIUM |
| An improper input validation vulnerability in OTRS Survey modules allows any attacker with a link to a valid and unanswered survey request to inject javascript code in free text answers. This allows a cross site scripting attack while reading the replies as authenticated agent. This issue affects OTRS Survey module from 7.0.X before 7.0.32, from 8.0.X before 8.0.13 and ((OTRS)) Community Edition Survey module from 6.0.X through 6.0.22. | |||||
| CVE-2023-37979 | 1 Ninjaforms | 1 Ninja Forms | 2023-08-04 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Saturday Drive Ninja Forms Contact Form plugin <= 3.6.25 versions. | |||||
| CVE-2023-34869 | 1 Phpjabbers | 1 Catering System | 2023-08-04 | N/A | 6.1 MEDIUM |
| PHPJabbers Catering System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /index.php?controller=pjAdmin&action=pjActionForgot. | |||||
| CVE-2023-36118 | 1 Faculty Evaulation System Project | 1 Faculty Evaulation System | 2023-08-04 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Faculty Evaulation System using PHP/MySQLi v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the page parameter. | |||||
| CVE-2023-34360 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2023-08-04 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) issue was discovered within the Custom User Icons functionality of ASUS RT-AX88U running firmware versions 3.0.0.4.388.23110 and prior. After a remote attacker logging in device with regular user privilege, the remote attacker can perform a Stored Cross-site Scripting (XSS) attack by uploading image which containing JavaScript code. | |||||
| CVE-2023-22595 | 1 Ibm | 2 B2b Advanced Communications, Multi-enterprise Integration Gateway | 2023-08-04 | N/A | 5.4 MEDIUM |
| IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 244076. | |||||
| CVE-2023-3292 | 1 Wpsofts | 1 Portfolio Gallery\, Product Catalog - Grid Kit Portfolio | 2023-08-04 | N/A | 6.1 MEDIUM |
| The grid-kit-premium WordPress plugin before 2.2.0 does not escape some parameters as well as generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-23548 | 1 Tribe29 | 1 Checkmk | 2023-08-04 | N/A | 6.1 MEDIUM |
| Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30. | |||||
| CVE-2023-37496 | 1 Hcltech | 1 Verse | 2023-08-04 | N/A | 5.4 MEDIUM |
| HCL Verse is susceptible to a Stored Cross Site Scripting (XSS) vulnerability. An attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information. | |||||
| CVE-2022-43711 | 1 Gxsoftware | 1 Xperiencentral | 2023-08-04 | N/A | 6.1 MEDIUM |
| Interactive Forms (IAF) in GX Software XperienCentral versions 10.29.1 until 10.33.0 was vulnerable to cross site scripting attacks (XSS) because the CSP header uses eval() in the script-src. | |||||
| CVE-2020-36763 | 1 Duxcms Project | 1 Duxcms | 2023-08-04 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in DuxCMS 2.1 allows remote attackers to run arbitrary code via the content, time, copyfrom parameters when adding or editing a post. | |||||
| CVE-2023-38306 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue was discovered in Webmin 2.021. A Cross-site Scripting (XSS) Bypass vulnerability was discovered in the file upload functionality. Normally, the application restricts the upload of certain file types such as .svg, .php, etc., and displays an error message if a prohibited file type is detected. However, by following certain steps, an attacker can bypass these restrictions and inject malicious code. | |||||
| CVE-2023-38305 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue was discovered in Webmin 2.021. The download functionality allows an attacker to exploit a Cross-Site Scripting (XSS) vulnerability. By providing a crafted download path containing a malicious payload, an attacker can inject arbitrary code, which is then executed within the context of the victim's browser when the download link is accessed. | |||||
| CVE-2023-38307 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Users and Groups functionality. The vulnerability occurs when an authenticated user adds a new user and inserts an XSS payload into the user's real name. | |||||
| CVE-2023-38309 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue was discovered in Webmin 2.021. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the package search functionality. The vulnerability allows an attacker to inject a malicious payload in the "Search for Package" field, which gets reflected back in the application's response, leading to the execution of arbitrary JavaScript code within the context of the victim's browser. | |||||
| CVE-2023-38310 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the configuration settings of the system logs functionality. The vulnerability allows an attacker to store an XSS payload in the configuration settings of specific log files. This results in the execution of that payload whenever the affected log files are accessed. | |||||
| CVE-2023-38308 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue was discovered in Webmin 2.021. A Cross-Site Scripting (XSS) vulnerability was discovered in the HTTP Tunnel functionality when handling third-party domain URLs. By providing a crafted URL from a third-party domain, an attacker can inject malicious code. leading to the execution of arbitrary JavaScript code within the context of the victim's browser. | |||||
| CVE-2023-38311 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the System Logs Viewer functionality. The vulnerability allows an attacker to store a malicious payload in the configuration field, triggering the execution of the payload when saving the configuration or when accessing the System Logs Viewer page. | |||||
| CVE-2023-38303 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. One can exploit a stored Cross-Site Scripting (XSS) attack to achieve Remote Command Execution (RCE) through the Users and Group's real name parameter. | |||||
| CVE-2023-33560 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-08-04 | N/A | 6.1 MEDIUM |
| There is a Cross Site Scripting (XSS) vulnerability in "cid" parameter of preview.php in PHPJabbers Time Slots Booking Calendar v3.3. | |||||
| CVE-2023-38304 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Users and Groups functionality, allowing an attacker to store a malicious payload in the Group Name field when creating a new group. | |||||
| CVE-2023-33564 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-08-04 | N/A | 6.1 MEDIUM |
| There is a Cross Site Scripting (XSS) vulnerability in the "theme" parameter of preview.php in PHPJabbers Time Slots Booking Calendar v3.3. | |||||
| CVE-2023-35792 | 1 Vound-software | 1 Intella Connect | 2023-08-04 | N/A | 6.1 MEDIUM |
| Vound Intella Connect 2.6.0.3 is vulnerable to stored Cross-site Scripting (XSS). | |||||
| CVE-2023-36211 | 1 Cubiclesoft | 1 Barebones Cms | 2023-08-04 | N/A | 5.4 MEDIUM |
| The Barebones CMS v2.0.2 is vulnerable to Stored Cross-Site Scripting (XSS) when an authenticated user interacts with certain features on the admin panel. | |||||
| CVE-2023-3130 | 1 Kaizencoders | 1 Short Url | 2023-08-03 | N/A | 4.8 MEDIUM |
| The Short URL WordPress plugin before 1.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-3134 | 1 Incsub | 1 Forminator | 2023-08-03 | N/A | 6.1 MEDIUM |
| The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks. | |||||
| CVE-2023-0602 | 1 Johnniejodelljr | 1 Twittee Text Tweet | 2023-08-03 | N/A | 6.1 MEDIUM |
| The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen. | |||||
| CVE-2021-31651 | 1 Neofr | 1 Neofrag | 2023-08-03 | N/A | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in neofarg-cms 0.2.3 allows remoate attacker to run arbitrary code via the copyright field in copyright settings. | |||||
| CVE-2023-4007 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-08-03 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.16. | |||||
| CVE-2023-37467 | 1 Discourse | 1 Discourse | 2023-08-03 | N/A | 5.4 MEDIUM |
| Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous (i.e. unauthenticated) users. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to bypass CSP and execute successfully. This vulnerability isn't applicable to logged-in users. Version 3.1.0.beta7 contains a patch. The stable branch doesn't have this vulnerability. A workaround to prevent the vulnerability is to disable Google Tag Manager, i.e., unset the `gtm container id` setting. | |||||
| CVE-2023-3990 | 1 Mingsoft | 1 Mcms | 2023-08-03 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in Mingsoft MCMS up to 5.3.1. This affects an unknown part of the file search.do of the component HTTP POST Request Handler. The manipulation of the argument style leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-235611. | |||||
| CVE-2023-3989 | 1 Jewelry Store System Project | 1 Jewelry Store System | 2023-08-03 | N/A | 6.1 MEDIUM |
| A vulnerability was found in SourceCodester Jewelry Store System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file add_customer.php. The manipulation leads to cross site scripting. The attack may be launched remotely. VDB-235610 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-37980 | 1 Custom Field For Wp Job Manager Project | 1 Custom Field For Wp Job Manager | 2023-08-02 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gravity Master Custom Field For WP Job Manager plugin <= 1.1 versions. | |||||
| CVE-2023-3970 | 1 Gzscripts | 1 Availability Booking Calendar Php | 2023-08-02 | N/A | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in GZ Scripts Availability Booking Calendar PHP 1.0. This affects an unknown part of the file /index.php?controller=GzUser&action=edit&id=1 of the component Image Handler. The manipulation of the argument img leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235569 was assigned to this vulnerability. | |||||
| CVE-2023-3969 | 1 Gzscripts | 1 Availability Booking Calendar Php | 2023-08-02 | N/A | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in GZ Scripts Availability Booking Calendar PHP 1.0. Affected by this issue is some unknown functionality of the file index.php of the component HTTP POST Request Handler. The manipulation of the argument promo_code leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-235568. | |||||
| CVE-2023-37894 | 1 Radiustheme | 1 Variation Images Gallery For Woocommerce | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Images Gallery for WooCommerce plugin <= 2.3.3 versions. | |||||
| CVE-2023-37981 | 1 Wpkube | 1 Authors List | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPKube Authors List plugin <= 2.0.2 versions. | |||||
| CVE-2023-37970 | 1 Mf Gig Calendar Project | 1 Mf Gig Calendar | 2023-08-02 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Matthew Fries MF Gig Calendar plugin <= 1.2 versions. | |||||
| CVE-2023-37993 | 1 Maennchen1 | 1 Wpshopgermany It-recht Kanzlei | 2023-08-02 | N/A | 4.8 MEDIUM |
| Auth. Stored Cross-Site Scripting (XSS) vulnerability in maennchen1.De wpShopGermany IT-RECHT KANZLEI plugin <= 1.7 versions. | |||||
| CVE-2023-37976 | 1 Radioforge | 1 Radio Forge Muses Player With Skins | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Radio Forge Muses Player with Skins plugin <= 2.5 versions. | |||||
| CVE-2023-37975 | 1 Variation Swatches For Woocommerce Project | 1 Variation Swatches For Woocommerce | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Swatches for WooCommerce plugin <= 2.3.7 versions. | |||||
| CVE-2023-38501 | 1 Copyparty Project | 1 Copyparty | 2023-08-02 | N/A | 6.1 MEDIUM |
| copyparty is file server software. Prior to version 1.8.7, the application contains a reflected cross-site scripting via URL-parameter `?k304=...` and `?setck=...`. The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link. It is recommended to change the passwords of one's copyparty accounts, unless one have inspected one's logs and found no trace of attacks. Version 1.8.7 contains a patch for the issue. | |||||
| CVE-2023-3945 | 1 Phpscriptpoint | 1 Lawyer | 2023-08-02 | N/A | 6.1 MEDIUM |
| A vulnerability was found in phpscriptpoint Lawyer 1.6. It has been classified as problematic. This affects an unknown part of the file search.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The identifier VDB-235401 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-3384 | 1 Redhat | 1 Quay | 2023-08-02 | N/A | 5.4 MEDIUM |
| A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS). | |||||
| CVE-2023-38500 | 1 Typo3 | 1 Html Sanitizer | 2023-08-02 | N/A | 6.1 MEDIUM |
| TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Starting in version 1.0.0 and prior to versions 1.5.1 and 2.1.2, due to an encoding issue in the serialization layer, malicious markup nested in a `noscript` element was not encoded correctly. `noscript` is disabled in the default configuration, but might have been enabled in custom scenarios. This allows bypassing the cross-site scripting mechanism of TYPO3 HTML Sanitizer. Versions 1.5.1 and 2.1.2 fix the problem. | |||||
| CVE-2023-35929 | 1 Enalean | 1 Tuleap | 2023-08-02 | N/A | 5.4 MEDIUM |
| Tuleap is a free and open source suite to improve management of software development and collaboration. Prior to version 14.10.99.4 of Tuleap Community Edition and prior to versions 14.10-2 and 14.9-5 of Tuleap Enterprise Edition, content displayed in the "card fields" (visible in the kanban and PV2 apps) is not properly escaped. A malicious user with the capability to create an artifact or to edit a field used as a card field could force victim to execute uncontrolled code. Tuleap Community Edition 14.10.99.4, Tuleap Enterprise Edition 14.10-2, and Tuleap Enterprise Edition 14.9-5 contain a fix. | |||||