Search
Total
13741 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-49269 | 1 Gvnpatidar | 1 Hotel Management System | 2023-12-27 | N/A | 5.4 MEDIUM |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'adults' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | |||||
| CVE-2023-49270 | 1 Kashipara | 1 Hotel Management | 2023-12-26 | N/A | 5.4 MEDIUM |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'check_in_date' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | |||||
| CVE-2023-49271 | 1 Kashipara | 1 Hotel Management | 2023-12-26 | N/A | 5.4 MEDIUM |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'check_out_date' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | |||||
| CVE-2023-49272 | 1 Kashipara | 1 Hotel Management | 2023-12-26 | N/A | 6.1 MEDIUM |
| Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'children' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. | |||||
| CVE-2023-51462 | 1 Adobe | 1 Experience Manager | 2023-12-26 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.18 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. | |||||
| CVE-2023-51461 | 1 Adobe | 1 Experience Manager | 2023-12-26 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2022-4279 | 1 Oretnom23 | 1 Human Resource Management System | 2023-12-26 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in SourceCodester Human Resource Management System 1.0. Affected is an unknown function of the file /hrm/employeeview.php. The manipulation of the argument search leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-214776. | |||||
| CVE-2016-10890 | 1 Pojo | 1 Activity Log | 2023-12-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The aryo-activity-log plugin before 2.3.2 for WordPress has XSS. | |||||
| CVE-2016-10891 | 1 Pojo | 1 Activity Log | 2023-12-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| The aryo-activity-log plugin before 2.3.3 for WordPress has XSS. | |||||
| CVE-2022-43317 | 1 Oretnom23 | 1 Human Resource Management System | 2023-12-26 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in /hrm/index.php?msg of Human Resource Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2022-45218 | 1 Oretnom23 | 1 Human Resource Management System | 2023-12-26 | N/A | 6.1 MEDIUM |
| Human Resource Management System v1.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability. This vulnerability is triggered via a crafted payload injected into an authentication error message. | |||||
| CVE-2018-8729 | 1 Pojo | 1 Activity Log | 2023-12-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped. | |||||
| CVE-2023-22704 | 1 Mtrv | 1 Teachpress | 2023-12-26 | N/A | 6.1 MEDIUM |
| Reflected Cross-Site Scripting (XSS) vulnerability in Michael Winkler teachPress plugin <= 8.1.8 versions. | |||||
| CVE-2015-10107 | 1 Simplr Registration Form Plus\+ Project | 1 Simplr Registration Form Plus\+ | 2023-12-22 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Simplr Registration Form Plus+ Plugin up to 2.3.4 on WordPress and classified as problematic. This issue affects some unknown processing. The manipulation leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.3.5 is able to address this issue. The identifier of the patch is d588446844dd49232ab400ef213ff5b92121c33e. It is recommended to upgrade the affected component. The identifier VDB-230153 was assigned to this vulnerability. | |||||
| CVE-2017-20158 | 1 Yii2 Fileapi Widget Project | 1 Yii2 Fileapi Widget | 2023-12-22 | N/A | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in vova07 Yii2 FileAPI Widget up to 0.1.8. It has been declared as problematic. Affected by this vulnerability is the function run of the file actions/UploadAction.php. The manipulation of the argument file leads to cross site scripting. The attack can be launched remotely. Upgrading to version 0.1.9 is able to address this issue. The identifier of the patch is c00d1e4fc912257fca1fce66d7a163bdbb4c8222. It is recommended to upgrade the affected component. The identifier VDB-217141 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-5432 | 1 Gopiplus | 1 Jquery News Ticker | 2023-12-22 | N/A | 5.4 MEDIUM |
| The Jquery news ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jquery-news-ticker' shortcode in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5413 | 1 Gopiplus | 1 Image Horizontal Reel Scroll Slideshow | 2023-12-22 | N/A | 5.4 MEDIUM |
| The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ihrss-gallery' shortcode in versions up to, and including, 13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-6488 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2023-12-22 | N/A | 5.4 MEDIUM |
| The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_button', 'su_members', and 'su_tabs' shortcodes in all versions up to, and including, 7.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5631 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2023-12-22 | N/A | 5.4 MEDIUM |
| Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. | |||||
| CVE-2022-34790 | 1 Jenkins | 1 Extreme Feedback Panel | 2023-12-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins eXtreme Feedback Panel Plugin 2.0.1 and earlier does not escape the job names used in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2023-6911 | 1 Wso2 | 9 Api Manager, Api Manager Analytics, Api Microgateway and 6 more | 2023-12-22 | N/A | 4.8 MEDIUM |
| Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console. | |||||
| CVE-2016-10893 | 1 Crayon Syntax Highlighter Project | 1 Crayon Syntax Highlighter | 2023-12-22 | 4.3 MEDIUM | 6.1 MEDIUM |
| The crayon-syntax-highlighter plugin before 2.8.4 for WordPress has multiple XSS issues via AJAX requests. | |||||
| CVE-2022-27213 | 1 Jenkins | 1 Environment Dashboard | 2023-12-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Environment Dashboard Plugin 1.1.10 and earlier does not escape the Environment order and the Component order configuration values in its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission. | |||||
| CVE-2022-1274 | 1 Redhat | 8 Enterprise Linux, Enterprise Linux For Ibm Z Systems, Enterprise Linux For Ibm Z Systems Eus and 5 more | 2023-12-22 | N/A | 5.4 MEDIUM |
| A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. | |||||
| CVE-2023-48387 | 1 Twca | 1 Jcicsecuritytool | 2023-12-22 | N/A | 6.1 MEDIUM |
| TAIWAN-CA(TWCA) JCICSecurityTool's Registry-related functions have insufficient filtering for special characters. An unauthenticated remote attacker can inject malicious script into a webpage to perform XSS (Stored Cross-Site Scripting) attack. | |||||
| CVE-2023-36939 | 1 Phpgurukul | 1 Hostel Management System | 2023-12-22 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in Hostel Management System v2.1 allows an attacker to execute arbitrary code via a crafted payload to the search booking field. | |||||
| CVE-2023-36375 | 1 Phpgurukul | 1 Hostel Management System | 2023-12-22 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Hostel Management System v2.1 allows an attacker to execute arbitrary code via a crafted payload to the Guardian name, Guardian relation, complimentary address, city, permanent address, and city parameters in the Book Hostel & Room Details page. | |||||
| CVE-2023-37580 | 1 Zimbra | 1 Zimbra | 2023-12-22 | N/A | 6.1 MEDIUM |
| Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client. | |||||
| CVE-2023-36823 | 2 Debian, Sanitize Project | 2 Debian Linux, Sanitize | 2023-12-22 | N/A | 6.1 MEDIUM |
| Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows `style` elements and one or more CSS at-rules. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize 6.0.2 performs additional escaping of CSS in `style` element content, which fixes this issue. Users who are unable to upgrade can prevent this issue by using a Sanitize config that doesn't allow `style` elements, using a Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence `</` as `<\/` in `style` element content. | |||||
| CVE-2023-36376 | 1 Phpgurukul | 1 Hostel Management System | 2023-12-22 | N/A | 4.8 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in Hostel Management System v.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the add course section. | |||||
| CVE-2023-6778 | 1 Clear | 1 Clearml Server | 2023-12-22 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository allegroai/clearml-server prior to 1.13.0. This vulnerability affects the ClearML Open Source Server which is not designed to be used as a publicly available service. Security recommendations stress it should be placed behind a company firewall or VPN. This vulnerability only affects users within the same organisation (I.e when a malicious party already has access to the internal network and to a user's ClearML login credentials). | |||||
| CVE-2023-5480 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2023-12-22 | N/A | 6.1 MEDIUM |
| Inappropriate implementation in Payments in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to bypass XSS preventions via a malicious file. (Chromium security severity: High) | |||||
| CVE-2023-50376 | 1 Simple-membership-plugin | 1 Simple Membership | 2023-12-22 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider Simple Membership allows Reflected XSS.This issue affects Simple Membership: from n/a through 4.3.8. | |||||
| CVE-2023-49489 | 1 Kodcloud | 1 Kodexplorer | 2023-12-22 | N/A | 6.1 MEDIUM |
| Reflective Cross Site Scripting (XSS) vulnerability in KodeExplorer version 4.51, allows attackers to obtain sensitive information and escalate privileges via the APP_HOST parameter at config/i18n/en/main.php. | |||||
| CVE-2023-50639 | 1 Iscute | 1 Cute Http File Server | 2023-12-22 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in CuteHttpFileServer v.1.0 and v.2.0 allows attackers to obtain sensitive information via the file upload function in the home page. | |||||
| CVE-2023-47707 | 3 Ibm, Linux, Microsoft | 4 Aix, Security Guardium Key Lifecycle Manager, Linux Kernel and 1 more | 2023-12-22 | N/A | 5.4 MEDIUM |
| IBM Security Guardium Key Lifecycle Manager 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 271522. | |||||
| CVE-2023-6769 | 1 Mr-corner | 1 Amazing Little Poll | 2023-12-22 | N/A | 4.6 MEDIUM |
| Stored XSS vulnerability in Amazing Little Poll, affecting versions 1.3 and 1.4. This vulnerability allows a remote attacker to store a malicious JavaScript payload in the "lp_admin.php" file in the "question" and "item" parameters. This vulnerability could lead to malicious JavaScript execution while the page is loading. | |||||
| CVE-2023-49168 | 1 Wordplus | 1 Better Messages | 2023-12-22 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0. | |||||
| CVE-2022-29049 | 1 Jenkins | 1 Promoted Builds | 2023-12-21 | 4.0 MEDIUM | 5.4 MEDIUM |
| Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name. | |||||
| CVE-2022-27212 | 1 Jenkins | 1 List Git Branches Parameter | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins List Git Branches Parameter Plugin 0.0.9 and earlier does not escape the name of the 'List Git branches (and more)' parameter, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-29045 | 1 Jenkins | 1 Promoted Builds | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not escape the name and description of Promoted Build parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-29044 | 1 Jenkins | 1 Node And Label Parameter | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Node and Label parameter Plugin 1.10.3 and earlier does not escape the name and description of Node and Label parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2023-5348 | 1 Multivendorx | 1 Product Catalog Mode For Woocommerce | 2023-12-21 | N/A | 6.1 MEDIUM |
| The Product Catalog Mode For WooCommerce WordPress plugin before 5.0.3 does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthenticated users. | |||||
| CVE-2023-5005 | 1 Codesmade | 1 Autocomplete Location Field Contact Form 7 | 2023-12-21 | N/A | 4.8 MEDIUM |
| The Autocomplete Location field Contact Form 7 WordPress plugin before 3.0, autocomplete-location-field-contact-form-7-pro WordPress plugin before 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-49829 | 1 Themeum | 1 Tutor Lms | 2023-12-21 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS – eLearning and online course solution allows Stored XSS.This issue affects Tutor LMS – eLearning and online course solution: from n/a through 2.2.4. | |||||
| CVE-2023-49823 | 1 Bold-themes | 1 Bold Page Builder | 2023-12-21 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldThemes Bold Page Builder allows Stored XSS.This issue affects Bold Page Builder: from n/a through 4.6.1. | |||||
| CVE-2023-49767 | 1 Biteship | 1 Biteship | 2023-12-21 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Biteship Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo allows Stored XSS.This issue affects Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo: from n/a through 2.2.24. | |||||
| CVE-2023-49747 | 1 Webfactoryltd | 1 Guest Author | 2023-12-21 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebFactory Ltd Guest Author allows Stored XSS.This issue affects Guest Author: from n/a through 2.3. | |||||
| CVE-2023-49191 | 1 Supsystic | 1 Gdpr Cookie Consent | 2023-12-21 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Supsystic GDPR Cookie Consent by Supsystic allows Stored XSS.This issue affects GDPR Cookie Consent by Supsystic: from n/a through 2.1.2. | |||||
| CVE-2023-49190 | 1 Freehtmldesigns | 1 Site Offline | 2023-12-21 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chandra Shekhar Sahu Site Offline Or Coming Soon Or Maintenance Mode allows Stored XSS.This issue affects Site Offline Or Coming Soon Or Maintenance Mode: from n/a through 1.5.6. | |||||