Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-34869 | 1 Phpjabbers | 1 Catering System | 2023-08-04 | N/A | 6.1 MEDIUM |
| PHPJabbers Catering System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /index.php?controller=pjAdmin&action=pjActionForgot. | |||||
| CVE-2023-34360 | 1 Asus | 2 Rt-ax88u, Rt-ax88u Firmware | 2023-08-04 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) issue was discovered within the Custom User Icons functionality of ASUS RT-AX88U running firmware versions 3.0.0.4.388.23110 and prior. After a remote attacker logging in device with regular user privilege, the remote attacker can perform a Stored Cross-site Scripting (XSS) attack by uploading image which containing JavaScript code. | |||||
| CVE-2022-4888 | 1 Addify | 10 Abandoned Cart Recovery, Advanced Free Gifts, Checkout Fields Manager and 7 more | 2023-08-04 | N/A | 6.5 MEDIUM |
| The Checkout Fields Manager WordPress plugin before 1.0.2, Abandoned Cart Recovery WordPress plugin before 1.2.5, Custom Fields for WooCommerce WordPress plugin before 1.0.4, Custom Order Number WordPress plugin through 1.0.1, Custom Registration Forms Builder WordPress plugin before 1.0.2, Advanced Free Gifts WordPress plugin before 1.0.2, Gift Registry for WooCommerce WordPress plugin through 1.0.1, Image Watermark for WooCommerce WordPress plugin before 1.0.1, Order Approval for WooCommerce WordPress plugin before 1.1.0, Order Tracking for WooCommerce WordPress plugin before 1.0.2, Price Calculator for WooCommerce WordPress plugin through 1.0.3, Product Dynamic Pricing and Discounts WordPress plugin through 1.0.6, Product Labels and Stickers WordPress plugin through 1.0.1 have flawed CSRF checks in various places, which could allow attackers to make logged in users perform unwanted actions | |||||
| CVE-2023-3292 | 1 Wpsofts | 1 Portfolio Gallery\, Product Catalog - Grid Kit Portfolio | 2023-08-04 | N/A | 6.1 MEDIUM |
| The grid-kit-premium WordPress plugin before 2.2.0 does not escape some parameters as well as generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-24971 | 1 Ibm | 2 B2b Advanced Communications, Multi-enterprise Integration Gateway | 2023-08-04 | N/A | 6.5 MEDIUM |
| IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 could allow a user to cause a denial of service due to the deserializing of untrusted serialized Java objects. IBM X-Force ID: 246976. | |||||
| CVE-2023-22595 | 1 Ibm | 2 B2b Advanced Communications, Multi-enterprise Integration Gateway | 2023-08-04 | N/A | 5.4 MEDIUM |
| IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 244076. | |||||
| CVE-2023-35016 | 1 Ibm | 1 Security Verify Governance | 2023-08-04 | N/A | 6.5 MEDIUM |
| IBM Security Verify Governance, Identity Manager 10.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 257772. | |||||
| CVE-2023-31426 | 1 Broadcom | 1 Fabric Operating System | 2023-08-04 | N/A | 6.5 MEDIUM |
| The Brocade Fabric OS Commands “configupload” and “configdownload” before Brocade Fabric OS v9.1.1c, v8.2.3d, v9.2.0 print scp, sftp, ftp servers passwords in supportsave. This could allow a remote authenticated attacker to access sensitive information. | |||||
| CVE-2023-23548 | 1 Tribe29 | 1 Checkmk | 2023-08-04 | N/A | 6.1 MEDIUM |
| Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30. | |||||
| CVE-2023-4010 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2023-08-04 | N/A | 4.6 MEDIUM |
| A flaw was found in the USB Host Controller Driver framework in the Linux kernel. The usb_giveback_urb function has a logic loophole in its implementation. Due to the inappropriate judgment condition of the goto statement, the function cannot return under the input of a specific malformed descriptor file, so it falls into an endless loop, resulting in a denial of service. | |||||
| CVE-2023-2685 | 1 Abb | 1 Ao-opc | 2023-08-04 | N/A | 6.3 MEDIUM |
| A vulnerability was found in AO-OPC server versions mentioned above. As the directory information for the service entry is not enclosed in quotation marks, potential attackers could possibly call up another application than the AO-OPC server by starting the service. The service might be started with system user privileges which could cause a shift in user access privileges. It is unlikely to exploit the vulnerability in well maintained Windows installations since the attacker would need write access to system folders. An update is available that resolves the vulnerability found during an internal review in the product AO-OPC = 3.2.1 | |||||
| CVE-2022-42182 | 1 Precisely | 1 Spectrum Spatial Analyst | 2023-08-04 | N/A | 5.3 MEDIUM |
| Precisely Spectrum Spatial Analyst 20.01 is vulnerable to Directory Traversal. | |||||
| CVE-2023-3462 | 1 Hashicorp | 1 Vault | 2023-08-04 | N/A | 5.3 MEDIUM |
| HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5. | |||||
| CVE-2023-37496 | 1 Hcltech | 1 Verse | 2023-08-04 | N/A | 5.4 MEDIUM |
| HCL Verse is susceptible to a Stored Cross Site Scripting (XSS) vulnerability. An attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information. | |||||
| CVE-2022-43711 | 1 Gxsoftware | 1 Xperiencentral | 2023-08-04 | N/A | 6.1 MEDIUM |
| Interactive Forms (IAF) in GX Software XperienCentral versions 10.29.1 until 10.33.0 was vulnerable to cross site scripting attacks (XSS) because the CSP header uses eval() in the script-src. | |||||
| CVE-2023-3242 | 1 Br-automation | 1 Automation Runtime | 2023-08-04 | N/A | 5.9 MEDIUM |
| Allocation of Resources Without Limits or Throttling, Improper Initialization vulnerability in B&R Industrial Automation B&R Automation Runtime allows Flooding, Leveraging Race Conditions.This issue affects B&R Automation Runtime: <G4.93. | |||||
| CVE-2023-30949 | 1 Palantir | 1 Slate | 2023-08-04 | N/A | 5.3 MEDIUM |
| A missing origin validation in Slate sandbox could be exploited by a malicious user to modify the page's content, which could lead to phishing attacks. | |||||
| CVE-2020-36763 | 1 Duxcms Project | 1 Duxcms | 2023-08-04 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in DuxCMS 2.1 allows remote attackers to run arbitrary code via the content, time, copyfrom parameters when adding or editing a post. | |||||
| CVE-2023-34916 | 1 Cms Project | 1 Cms | 2023-08-04 | N/A | 6.1 MEDIUM |
| Fuge CMS v1.0 contains an Open Redirect vulnerability via /front/ProcessAct.java. | |||||
| CVE-2023-34917 | 1 Cms Project | 1 Cms | 2023-08-04 | N/A | 6.1 MEDIUM |
| Fuge CMS v1.0 contains an Open Redirect vulnerability in member/RegisterAct.java. | |||||
| CVE-2023-38306 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue was discovered in Webmin 2.021. A Cross-site Scripting (XSS) Bypass vulnerability was discovered in the file upload functionality. Normally, the application restricts the upload of certain file types such as .svg, .php, etc., and displays an error message if a prohibited file type is detected. However, by following certain steps, an attacker can bypass these restrictions and inject malicious code. | |||||
| CVE-2023-38305 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue was discovered in Webmin 2.021. The download functionality allows an attacker to exploit a Cross-Site Scripting (XSS) vulnerability. By providing a crafted download path containing a malicious payload, an attacker can inject arbitrary code, which is then executed within the context of the victim's browser when the download link is accessed. | |||||
| CVE-2023-38310 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the configuration settings of the system logs functionality. The vulnerability allows an attacker to store an XSS payload in the configuration settings of specific log files. This results in the execution of that payload whenever the affected log files are accessed. | |||||
| CVE-2023-38309 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue was discovered in Webmin 2.021. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the package search functionality. The vulnerability allows an attacker to inject a malicious payload in the "Search for Package" field, which gets reflected back in the application's response, leading to the execution of arbitrary JavaScript code within the context of the victim's browser. | |||||
| CVE-2023-38308 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue was discovered in Webmin 2.021. A Cross-Site Scripting (XSS) vulnerability was discovered in the HTTP Tunnel functionality when handling third-party domain URLs. By providing a crafted URL from a third-party domain, an attacker can inject malicious code. leading to the execution of arbitrary JavaScript code within the context of the victim's browser. | |||||
| CVE-2023-38307 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Users and Groups functionality. The vulnerability occurs when an authenticated user adds a new user and inserts an XSS payload into the user's real name. | |||||
| CVE-2023-38311 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the System Logs Viewer functionality. The vulnerability allows an attacker to store a malicious payload in the configuration field, triggering the execution of the payload when saving the configuration or when accessing the System Logs Viewer page. | |||||
| CVE-2023-33560 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-08-04 | N/A | 6.1 MEDIUM |
| There is a Cross Site Scripting (XSS) vulnerability in "cid" parameter of preview.php in PHPJabbers Time Slots Booking Calendar v3.3. | |||||
| CVE-2023-38304 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Users and Groups functionality, allowing an attacker to store a malicious payload in the Group Name field when creating a new group. | |||||
| CVE-2023-38303 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. One can exploit a stored Cross-Site Scripting (XSS) attack to achieve Remote Command Execution (RCE) through the Users and Group's real name parameter. | |||||
| CVE-2023-33564 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-08-04 | N/A | 6.1 MEDIUM |
| There is a Cross Site Scripting (XSS) vulnerability in the "theme" parameter of preview.php in PHPJabbers Time Slots Booking Calendar v3.3. | |||||
| CVE-2023-38989 | 1 Jeesite | 1 Jeesite | 2023-08-04 | N/A | 4.3 MEDIUM |
| An issue in the delete function in the UserController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete the Administrator's role information. | |||||
| CVE-2023-35792 | 1 Vound-software | 1 Intella Connect | 2023-08-04 | N/A | 6.1 MEDIUM |
| Vound Intella Connect 2.6.0.3 is vulnerable to stored Cross-site Scripting (XSS). | |||||
| CVE-2023-35791 | 1 Vound-software | 1 Intella Connect | 2023-08-04 | N/A | 6.1 MEDIUM |
| Vound Intella Connect 2.6.0.3 has an Open Redirect vulnerability. | |||||
| CVE-2023-36211 | 1 Cubiclesoft | 1 Barebones Cms | 2023-08-04 | N/A | 5.4 MEDIUM |
| The Barebones CMS v2.0.2 is vulnerable to Stored Cross-Site Scripting (XSS) when an authenticated user interacts with certain features on the admin panel. | |||||
| CVE-2023-3130 | 1 Kaizencoders | 1 Short Url | 2023-08-03 | N/A | 4.8 MEDIUM |
| The Short URL WordPress plugin before 1.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-3134 | 1 Incsub | 1 Forminator | 2023-08-03 | N/A | 6.1 MEDIUM |
| The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks. | |||||
| CVE-2023-32226 | 1 Sysaid | 1 Sysaid On-premises | 2023-08-03 | N/A | 6.5 MEDIUM |
| Sysaid - CWE-552: Files or Directories Accessible to External Parties - Authenticated users may exfiltrate files from the server via an unspecified method. | |||||
| CVE-2023-0602 | 1 Johnniejodelljr | 1 Twittee Text Tweet | 2023-08-03 | N/A | 6.1 MEDIUM |
| The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen. | |||||
| CVE-2023-3345 | 1 Masteriyo | 1 Masteriyo | 2023-08-03 | N/A | 6.5 MEDIUM |
| The LMS by Masteriyo WordPress plugin before 1.6.8 does not properly safeguards sensitive user information, like other user's email addresses, making it possible for any students to leak them via some of the plugin's REST API endpoints. | |||||
| CVE-2021-31651 | 1 Neofr | 1 Neofrag | 2023-08-03 | N/A | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in neofarg-cms 0.2.3 allows remoate attacker to run arbitrary code via the copyright field in copyright settings. | |||||
| CVE-2023-3507 | 1 Woocommerce | 1 Woocommerce Pre-orders | 2023-08-03 | N/A | 6.5 MEDIUM |
| The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack | |||||
| CVE-2023-3508 | 1 Woocommerce | 1 Woocommerce Pre-orders | 2023-08-03 | N/A | 6.5 MEDIUM |
| The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks | |||||
| CVE-2020-4868 | 1 Ibm | 1 Tririga Application Platform | 2023-08-03 | N/A | 5.3 MEDIUM |
| IBM TRIRIGA 3.0, 4.0, and 4.4 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 190744. | |||||
| CVE-2023-4007 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-08-03 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.16. | |||||
| CVE-2023-37216 | 1 Anasystem | 2 Sensmini M4, Sensmini M4 Firmware | 2023-08-03 | N/A | 6.5 MEDIUM |
| AnaSystem SensMini M4 – Using the configuration tool, an authenticated user can cause Denial of Service for the device | |||||
| CVE-2023-38988 | 1 Jeesite | 1 Jeesite | 2023-08-03 | N/A | 4.3 MEDIUM |
| An issue in the delete function in the OaNotifyController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete notifications created by Administrators. | |||||
| CVE-2023-37467 | 1 Discourse | 1 Discourse | 2023-08-03 | N/A | 5.4 MEDIUM |
| Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous (i.e. unauthenticated) users. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to bypass CSP and execute successfully. This vulnerability isn't applicable to logged-in users. Version 3.1.0.beta7 contains a patch. The stable branch doesn't have this vulnerability. A workaround to prevent the vulnerability is to disable Google Tag Manager, i.e., unset the `gtm container id` setting. | |||||
| CVE-2023-37906 | 1 Discourse | 1 Discourse | 2023-08-03 | N/A | 4.3 MEDIUM |
| Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can edit a post in a topic and cause a DoS with a carefully crafted edit reason. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-38498 | 1 Discourse | 1 Discourse | 2023-08-03 | N/A | 6.5 MEDIUM |
| Discourse is an open source discussion platform. Prior to version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a malicious user can prevent the defer queue from proceeding promptly on sites hosted in the same multisite installation. The issue is patched in version 3.0.6 of the `stable` branch and version 3.1.0.beta7 of the `beta` and `tests-passed` branches. There are no known workarounds for this vulnerability. Users of multisite configurations should upgrade. | |||||