Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-49829 | 1 Themeum | 1 Tutor Lms | 2023-12-21 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS – eLearning and online course solution allows Stored XSS.This issue affects Tutor LMS – eLearning and online course solution: from n/a through 2.2.4. | |||||
| CVE-2023-49823 | 1 Bold-themes | 1 Bold Page Builder | 2023-12-21 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldThemes Bold Page Builder allows Stored XSS.This issue affects Bold Page Builder: from n/a through 4.6.1. | |||||
| CVE-2023-49767 | 1 Biteship | 1 Biteship | 2023-12-21 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Biteship Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo allows Stored XSS.This issue affects Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo: from n/a through 2.2.24. | |||||
| CVE-2023-49747 | 1 Webfactoryltd | 1 Guest Author | 2023-12-21 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebFactory Ltd Guest Author allows Stored XSS.This issue affects Guest Author: from n/a through 2.3. | |||||
| CVE-2023-49191 | 1 Supsystic | 1 Gdpr Cookie Consent | 2023-12-21 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Supsystic GDPR Cookie Consent by Supsystic allows Stored XSS.This issue affects GDPR Cookie Consent by Supsystic: from n/a through 2.1.2. | |||||
| CVE-2023-46144 | 1 Phoenixcontact | 17 Axc F 1152, Axc F 1152 Firmware, Axc F 2152 and 14 more | 2023-12-21 | N/A | 6.5 MEDIUM |
| A download of code without integrity check vulnerability in PLCnext products allows an remote attacker with low privileges to compromise integrity on the affected engineering station and the connected devices. | |||||
| CVE-2023-49190 | 1 Freehtmldesigns | 1 Site Offline | 2023-12-21 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chandra Shekhar Sahu Site Offline Or Coming Soon Or Maintenance Mode allows Stored XSS.This issue affects Site Offline Or Coming Soon Or Maintenance Mode: from n/a through 1.5.6. | |||||
| CVE-2023-49189 | 1 Getsocial | 1 Social Share Buttons \& Analytics | 2023-12-21 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Getsocial, S.A. Social Share Buttons & Analytics Plugin – GetSocial.Io allows Stored XSS.This issue affects Social Share Buttons & Analytics Plugin – GetSocial.Io: from n/a through 4.3.12. | |||||
| CVE-2023-48379 | 1 Softnext | 1 Mail Sqr Expert | 2023-12-21 | N/A | 5.3 MEDIUM |
| Softnext Mail SQR Expert is an email management platform, it has inadequate filtering for a specific URL parameter within a specific function. An unauthenticated remote attacker can perform Blind SSRF attack to discover internal network topology base on URL error response. | |||||
| CVE-2023-48374 | 1 Csharp | 1 Cws Collaborative Development Platform | 2023-12-21 | N/A | 6.5 MEDIUM |
| SmartStar Software CWS is a web-base integration platform, it has a vulnerability of using a hard-coded for a specific account with low privilege. An unauthenticated remote attacker can exploit this vulnerability to run partial processes and obtain partial information, but can't disrupt service or obtain sensitive information. | |||||
| CVE-2023-48382 | 1 Softnext | 1 Mail Sqr Expert | 2023-12-21 | N/A | 6.5 MEDIUM |
| Softnext Mail SQR Expert is an email management platform, it has a Local File Inclusion (LFI) vulnerability in a mail deliver-related URL. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary PHP file with .asp file extension under specific system paths, to access and modify partial system information but does not affect service availability. | |||||
| CVE-2023-42792 | 1 Apache | 1 Airflow | 2023-12-21 | N/A | 6.5 MEDIUM |
| Apache Airflow, in versions prior to 2.7.2, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. Users of Apache Airflow are strongly advised to upgrade to version 2.7.2 or newer to mitigate the risk associated with this vulnerability. | |||||
| CVE-2023-31439 | 1 Systemd Project | 1 Systemd | 2023-12-21 | N/A | 5.3 MEDIUM |
| An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." | |||||
| CVE-2023-31438 | 1 Systemd Project | 1 Systemd | 2023-12-21 | N/A | 5.3 MEDIUM |
| An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability." | |||||
| CVE-2023-0248 | 1 Johnsoncontrols | 2 Iosmart Gen 1, Iosmart Gen 1 Firmware | 2023-12-21 | N/A | 5.3 MEDIUM |
| An attacker with physical access to the Kantech Gen1 ioSmart card reader with firmware version prior to 1.07.02 in certain circumstances can recover the reader's communication memory between the card and reader. | |||||
| CVE-2023-6832 | 1 Microweber | 1 Microweber | 2023-12-21 | N/A | 4.3 MEDIUM |
| Business Logic Errors in GitHub repository microweber/microweber prior to 2.0. | |||||
| CVE-2018-2379 | 1 Sap | 1 Hana Extended Application Services | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In SAP HANA Extended Application Services, 1.0, an unauthenticated user could test if a given username is valid by evaluating error messages of a specific endpoint. | |||||
| CVE-2018-2378 | 1 Sap | 1 Hana Extended Application Services | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In SAP HANA Extended Application Services, 1.0, unauthorized users can read statistical data about deployed applications including resource consumption. | |||||
| CVE-2018-2377 | 1 Sap | 1 Hana Extended Application Services | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In SAP HANA Extended Application Services, 1.0, some general server statistics and status information could be retrieved by unauthorized users. | |||||
| CVE-2018-2374 | 1 Sap | 1 Hana Extended Application Services | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In SAP HANA Extended Application Services, 1.0, a controller user who has SpaceAuditor authorization in a specific space could retrieve sensitive application data like service bindings within that space. | |||||
| CVE-2018-2372 | 1 Sap | 1 Hana Extended Application Services | 2023-12-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| A plain keystore password is written to a system log file in SAP HANA Extended Application Services, 1.0, which could endanger confidentiality of SSL communication. | |||||
| CVE-2023-1948 | 1 Phpgurukul | 1 Bp Monitoring Management System | 2023-12-21 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in PHPGurukul BP Monitoring Management System 1.0. This issue affects some unknown processing of the file add-family-member.php of the component Add New Family Member Handler. The manipulation of the argument Member Name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-225335. | |||||
| CVE-2023-1909 | 1 Phpgurukul | 1 Bp Monitoring Management System | 2023-12-21 | N/A | 6.5 MEDIUM |
| A vulnerability, which was classified as critical, was found in PHPGurukul BP Monitoring Management System 1.0. Affected is an unknown function of the file profile.php of the component User Profile Update Handler. The manipulation of the argument name/mobno leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-225318 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-36940 | 1 Phpgurukul | 1 Online Fire Reporting System | 2023-12-21 | N/A | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in PHPGurukul Online Fire Reporting System Using PHP and MySQL v.1.2 allows attackers to execute arbitrary code via a crafted payload injected into the search field. | |||||
| CVE-2023-36936 | 1 Phpgurukul | 1 Online Security Guards Hiring System | 2023-12-21 | N/A | 6.1 MEDIUM |
| Cross-Site Scripting (XSS) vulnerability in PHPGurukul Online Security Guards Hiring System using PHP and MySQL 1.0 allows attackers to execute arbitrary code via a crafted payload to the search booking box. | |||||
| CVE-2023-33580 | 1 Phpgurukul | 1 Student Study Center Management System | 2023-12-21 | N/A | 4.8 MEDIUM |
| Phpgurukul Student Study Center Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in the "Admin Name" field on Admin Profile page. | |||||
| CVE-2023-26958 | 1 Phpgurukul | 1 Park Ticketing Management System | 2023-12-21 | N/A | 4.8 MEDIUM |
| Phpgurukul Park Ticketing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Admin Name parameter. | |||||
| CVE-2022-34197 | 1 Jenkins | 1 Sauce Ondemand | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Sauce OnDemand Plugin 1.204 and earlier does not escape the name and description of Sauce Labs Browsers parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34786 | 1 Jenkins | 1 Rich Text Publisher | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Rich Text Publisher Plugin 1.4 and earlier does not escape the HTML message set by its post-build step, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. | |||||
| CVE-2022-34778 | 1 Jenkins | 1 Testng Results | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins TestNG Results Plugin 554.va4a552116332 and earlier renders the unescaped test descriptions and exception messages provided in test results if certain job-level options are set, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs or control test results. | |||||
| CVE-2022-34777 | 1 Jenkins | 1 Gitlab | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34198 | 1 Jenkins | 1 Stash Branch Parameter | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier does not escape the name and description of Stash Branch parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34196 | 1 Jenkins | 1 Rest List Parameter | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins REST List Parameter Plugin 1.5.2 and earlier does not escape the name and description of REST list parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34195 | 1 Jenkins | 1 Repository Connector | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Repository Connector Plugin 2.2.0 and earlier does not escape the name and description of Maven Repository Artifact parameters on views displaying parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34791 | 1 Jenkins | 1 Validating Email Parameter | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Validating Email Parameter Plugin 1.10 and earlier does not escape the name and description of its parameter type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-34788 | 1 Jenkins | 1 Matrix Reloaded | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Matrix Reloaded Plugin 1.1.3 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. | |||||
| CVE-2022-34787 | 1 Jenkins | 1 Project Inheritance | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Project Inheritance Plugin 21.04.03 and earlier does not escape the reason a build is blocked in tooltips, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control the reason a queue item is blocked. | |||||
| CVE-2022-34784 | 1 Jenkins | 1 Build-metrics | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins build-metrics Plugin 1.3 does not escape the build description on one of its views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Build/Update permission. | |||||
| CVE-2022-34783 | 1 Jenkins | 1 Plot | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Plot Plugin 2.1.10 and earlier does not escape plot descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-29533 | 1 Misp | 1 Misp | 2023-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in MISP before 2.4.158. There is XSS in app/Controller/OrganisationsController.php in a situation with a "weird single checkbox page." | |||||
| CVE-2022-29531 | 1 Misp | 1 Misp | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in MISP before 2.4.158. There is stored XSS in the event graph via a tag name. | |||||
| CVE-2022-29530 | 1 Misp | 1 Misp | 2023-12-21 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in MISP before 2.4.158. There is stored XSS in the galaxy clusters. | |||||
| CVE-2022-25321 | 1 Cerebrate-project | 1 Cerebrate | 2023-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in Cerebrate through 1.4. XSS could occur in the bookmarks component. | |||||
| CVE-2022-25320 | 1 Cerebrate-project | 1 Cerebrate | 2023-12-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Cerebrate through 1.4. Username enumeration could occur. | |||||
| CVE-2022-25319 | 1 Cerebrate-project | 1 Cerebrate | 2023-12-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Cerebrate through 1.4. Endpoints could be open even when not enabled. | |||||
| CVE-2022-30159 | 1 Microsoft | 3 Office Online Server, Office Web Apps Server, Sharepoint Server | 2023-12-21 | 4.3 MEDIUM | 5.5 MEDIUM |
| Microsoft Office Information Disclosure Vulnerability. This CVE ID is unique from CVE-2022-30171, CVE-2022-30172. | |||||
| CVE-2023-31489 | 2 Fedoraproject, Frrouting | 2 Fedora, Frrouting | 2023-12-21 | N/A | 5.5 MEDIUM |
| An issue found in Frrouting bgpd v.8.4.2 allows a remote attacker to cause a denial of service via the bgp_capability_llgr() function. | |||||
| CVE-2023-36941 | 1 Phpgurukul | 1 Online Fire Reporting System | 2023-12-21 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in PHPGurukul Online Fire Reporting System Using PHP and MySQL 1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the team name, leader, and member fields. | |||||
| CVE-2022-29048 | 2 Apple, Jenkins | 2 Macos, Subversion | 2023-12-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Subversion Plugin 2.15.3 and earlier allows attackers to connect to an attacker-specified URL. | |||||
| CVE-2022-24227 | 1 Boltwire | 1 Boltwire | 2023-12-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in BoltWire v7.10 and v 8.00 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the name and lastname parameters. | |||||