Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-36637 | 1 Adminserv Project | 1 Adminserv | 2023-12-20 | N/A | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chris92de AdminServ. It has been declared as problematic. This vulnerability affects unknown code of the file resources/core/adminserv.php. The manipulation of the argument text leads to cross site scripting. The attack can be initiated remotely. The patch is identified as 3ed17dab3b4d6e8bf1c82ddfbf882314365e9cd7. It is recommended to apply a patch to fix this issue. VDB-217042 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2013-4584 | 2 Debian, Horms | 2 Debian Linux, Perdition | 2023-12-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections | |||||
| CVE-2023-47271 | 1 Sfu | 1 Pkp Web Application Library | 2023-12-20 | N/A | 5.3 MEDIUM |
| PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an issue cover image. | |||||
| CVE-2023-5512 | 1 Gitlab | 1 Gitlab | 2023-12-19 | N/A | 5.7 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect representation in the UI. | |||||
| CVE-2023-5061 | 1 Gitlab | 1 Gitlab | 2023-12-19 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 9.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. In certain situations, it may have been possible for developers to override predefined CI variables via the REST API. | |||||
| CVE-2023-42883 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2023-12-19 | N/A | 5.5 MEDIUM |
| The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2, tvOS 17.2, iOS 16.7.3 and iPadOS 16.7.3. Processing an image may lead to a denial-of-service. | |||||
| CVE-2023-50720 | 1 Xwiki | 1 Xwiki | 2023-12-19 | N/A | 5.3 MEDIUM |
| XWiki Platform is a generic wiki platform. Prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. To demonstrate the vulnerability, search for `objcontent:email*` using XWiki's regular search interface. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1 by not indexing email address properties when obfuscation is enabled. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-49185 | 1 Doofinder | 1 Doofinder | 2023-12-19 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Doofinder Doofinder WP & WooCommerce Search allows Reflected XSS.This issue affects Doofinder WP & WooCommerce Search: from n/a through 2.1.7. | |||||
| CVE-2023-49184 | 1 Wpdeveloper | 1 Parallax Slider Block | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Parallax Slider Block allows Stored XSS.This issue affects Parallax Slider Block: from n/a through 1.2.4. | |||||
| CVE-2023-49183 | 1 Nextscripts | 1 Social Networks Auto Poster | 2023-12-19 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NextScripts NextScripts: Social Networks Auto-Poster allows Reflected XSS.This issue affects NextScripts: Social Networks Auto-Poster: from n/a through 4.4.2. | |||||
| CVE-2023-50266 | 1 Bazarr | 1 Bazarr | 2023-12-19 | N/A | 5.3 MEDIUM |
| Bazarr manages and downloads subtitles. In version 1.2.4, the proxy method in bazarr/bazarr/app/ui.py does not validate the user-controlled protocol and url variables and passes them to requests.get() without any sanitization, which leads to a blind server-side request forgery (SSRF). This issue allows for crafting GET requests to internal and external resources on behalf of the server. 1.3.1 contains a partial fix, which limits the vulnerability to HTTP/HTTPS protocols. | |||||
| CVE-2023-49182 | 1 Marzocca | 1 List All Posts By Authors Nested Categories And Titles | 2023-12-19 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fabio Marzocca List all posts by Authors, nested Categories and Titles allows Reflected XSS.This issue affects List all posts by Authors, nested Categories and Titles: from n/a through 2.7.10. | |||||
| CVE-2023-36878 | 1 Microsoft | 1 Edge Chromium | 2023-12-19 | N/A | 4.3 MEDIUM |
| Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | |||||
| CVE-2023-49181 | 1 Wp-eventmanager | 1 Wp Event Manager | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Event Manager WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce allows Stored XSS.This issue affects WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce: from n/a through 3.1.40. | |||||
| CVE-2023-49187 | 1 Spoonthemes | 1 Adifier | 2023-12-19 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spoonthemes Adifier - Classified Ads WordPress Theme allows Reflected XSS.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4. | |||||
| CVE-2023-49188 | 1 Zealousweb | 1 Track Geolocation Of Users Using Contact Form 7 | 2023-12-19 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZealousWeb Track Geolocation Of Users Using Contact Form 7 allows Stored XSS.This issue affects Track Geolocation Of Users Using Contact Form 7: from n/a through 1.4. | |||||
| CVE-2023-27317 | 1 Netapp | 1 Ontap | 2023-12-19 | N/A | 4.6 MEDIUM |
| ONTAP 9 versions 9.12.1P8, 9.13.1P4, and 9.13.1P5 are susceptible to a vulnerability which will cause all SAS-attached FIPS 140-2 drives to become unlocked after a system reboot or power cycle or a single SAS-attached FIPS 140-2 drive to become unlocked after reinsertion. This could lead to disclosure of sensitive information to an attacker with physical access to the unlocked drives. | |||||
| CVE-2023-49175 | 1 Kreativopro | 1 Kp Fastest Tawk.to Chat | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kreativo Pro KP Fastest Tawk.To Chat allows Stored XSS.This issue affects KP Fastest Tawk.To Chat: from n/a through 1.1.1. | |||||
| CVE-2023-49176 | 1 Coderevolution | 1 Wp Pocket Urls | 2023-12-19 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution WP Pocket URLs allows Reflected XSS.This issue affects WP Pocket URLs: from n/a through 1.0.2. | |||||
| CVE-2023-49174 | 1 Dfactory | 1 Responsive Lightbox | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dFactory Responsive Lightbox & Gallery allows Stored XSS.This issue affects Responsive Lightbox & Gallery: from n/a through 2.4.5. | |||||
| CVE-2023-49180 | 1 Ternstyle | 1 Automatic Youtube Video Posts | 2023-12-19 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ternstyle LLC Automatic Youtube Video Posts Plugin allows Stored XSS.This issue affects Automatic Youtube Video Posts Plugin: from n/a through 5.2.2. | |||||
| CVE-2023-50710 | 1 Hono | 1 Hono | 2023-12-19 | N/A | 4.3 MEDIUM |
| Hono is a web framework written in TypeScript. Prior to version 3.11.7, clients may override named path parameter values from previous requests if the application is using TrieRouter. So, there is a risk that a privileged user may use unintended parameters when deleting REST API resources. TrieRouter is used either explicitly or when the application matches a pattern that is not supported by the default RegExpRouter. Version 3.11.7 includes the change to fix this issue. As a workaround, avoid using TrieRouter directly. | |||||
| CVE-2023-49177 | 1 Gillesdumas | 1 Which Template File | 2023-12-19 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gilles Dumas which template file allows Reflected XSS.This issue affects which template file: from n/a through 4.9.0. | |||||
| CVE-2023-25650 | 1 Zte | 2 Zxcloud Irai, Zxcloud Irai Firmware | 2023-12-19 | N/A | 6.5 MEDIUM |
| There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads. | |||||
| CVE-2023-49157 | 1 Andreasmuench | 1 Multiple Post Passwords | 2023-12-19 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andreas Münch Multiple Post Passwords allows Stored XSS.This issue affects Multiple Post Passwords: from n/a through 1.1.1. | |||||
| CVE-2023-49152 | 1 Labs64 | 1 Credit Tracker | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Labs64 Credit Tracker allows Stored XSS.This issue affects Credit Tracker: from n/a through 1.1.17. | |||||
| CVE-2023-49151 | 1 Sureswiftcapital | 1 Simple Calendar | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simple Calendar Simple Calendar – Google Calendar Plugin allows Stored XSS.This issue affects Simple Calendar – Google Calendar Plugin: from n/a through 3.2.6. | |||||
| CVE-2023-41337 | 1 Dena | 1 H2o | 2023-12-19 | N/A | 6.7 MEDIUM |
| h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In version 2.3.0-beta2 and prior, when h2o is configured to listen to multiple addresses or ports with each of them using different backend servers managed by multiple entities, a malicious backend entity that also has the opportunity to observe or inject packets exchanged between the client and h2o may misdirect HTTPS requests going to other backends and observe the contents of that HTTPS request being sent. The attack involves a victim client trying to resume a TLS connection and an attacker redirecting the packets to a different address or port than that intended by the client. The attacker must already have been configured by the administrator of h2o to act as a backend to one of the addresses or ports that the h2o instance listens to. Session IDs and tickets generated by h2o are not bound to information specific to the server address, port, or the X.509 certificate, and therefore it is possible for an attacker to force the victim connection to wrongfully resume against a different server address or port on which the same h2o instance is listening. Once a TLS session is misdirected to resume to a server address / port that is configured to use an attacker-controlled server as the backend, depending on the configuration, HTTPS requests from the victim client may be forwarded to the attacker's server. An H2O instance is vulnerable to this attack only if the instance is configured to listen to different addresses or ports using the listen directive at the host level and the instance is configured to connect to backend servers managed by multiple entities. A patch is available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab. As a workaround, one may stop using using host-level listen directives in favor of global-level ones. | |||||
| CVE-2023-46713 | 1 Fortinet | 1 Fortiweb | 2023-12-19 | N/A | 5.3 MEDIUM |
| An improper output neutralization for logs in Fortinet FortiWeb 6.2.0 - 6.2.8, 6.3.0 - 6.3.23, 7.0.0 - 7.0.9, 7.2.0 - 7.2.5 and 7.4.0 may allow an attacker to forge traffic logs via a crafted URL of the web application. | |||||
| CVE-2023-50871 | 1 Jetbrains | 1 Youtrack | 2023-12-19 | N/A | 4.3 MEDIUM |
| In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed | |||||
| CVE-2023-49160 | 1 Formzu | 1 Formzu Wp | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in formzu Inc. Formzu WP allows Stored XSS.This issue affects Formzu WP: from n/a through 1.6.6. | |||||
| CVE-2023-49860 | 1 Wedevs | 1 Wp Project Manager | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weDevs WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts allows Stored XSS.This issue affects WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts: from n/a through 2.6.7. | |||||
| CVE-2023-6545 | 1 Beckhoff | 2 Authelia-bhf, Twincat\/bsd | 2023-12-19 | N/A | 4.7 MEDIUM |
| The package authelia-bhf included in Beckhoffs TwinCAT/BSD is prone to an open redirect that allows a remote unprivileged attacker to redirect a user to another site. This may have limited impact to integrity and does solely affect anthelia-bhf the Beckhoff fork of authelia. | |||||
| CVE-2023-49842 | 1 Wpexperts | 1 Rocket Maintenance Mode \& Coming Soon Page | 2023-12-19 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpexpertsio Rocket Maintenance Mode & Coming Soon Page allows Stored XSS.This issue affects Rocket Maintenance Mode & Coming Soon Page: from n/a through 4.3. | |||||
| CVE-2023-49150 | 1 Currencyratetoday | 1 Crypto Converter Widget | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CurrencyRate.Today Crypto Converter Widget allows Stored XSS.This issue affects Crypto Converter Widget: from n/a through 1.8.1. | |||||
| CVE-2023-49149 | 1 Currencyratetoday | 1 Currency Converter Calculator | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CurrencyRate.Today Currency Converter Calculator allows Stored XSS.This issue affects Currency Converter Calculator: from n/a through 1.3.1. | |||||
| CVE-2023-49739 | 1 Ideabox | 1 Powerpack Addons For Elementor | 2023-12-19 | N/A | 6.1 MEDIUM |
| [PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATFORMS] allows [ATTACKER] to [IMPACT] via [VECTOR] | |||||
| CVE-2023-48765 | 1 Tillkruss | 1 Email Address Encoder | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Till Krüss Email Address Encoder allows Stored XSS.This issue affects Email Address Encoder: from n/a through 1.0.22. | |||||
| CVE-2023-48780 | 1 Maevelander | 1 Wp Catalogue | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EnigmaWeb WP Catalogue allows Stored XSS.This issue affects WP Catalogue: from n/a through 1.7.6. | |||||
| CVE-2023-6595 | 1 Progress | 1 Whatsup Gold | 2023-12-19 | N/A | 5.3 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate ancillary credential information stored within WhatsUp Gold. | |||||
| CVE-2023-6368 | 1 Progress | 1 Whatsup Gold | 2023-12-19 | N/A | 5.3 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, an API endpoint was found to be missing an authentication mechanism. It is possible for an unauthenticated attacker to enumerate information related to a registered device being monitored by WhatsUp Gold. | |||||
| CVE-2023-6367 | 1 Progress | 1 Whatsup Gold | 2023-12-19 | N/A | 5.4 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Roles. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser. | |||||
| CVE-2022-45365 | 1 Urosevic | 1 Stock Ticker | 2023-12-19 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Uroševi? Stock Ticker allows Reflected XSS.This issue affects Stock Ticker: from n/a through 3.23.2. | |||||
| CVE-2023-6366 | 1 Progress | 1 Whatsup Gold | 2023-12-19 | N/A | 5.4 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Alert Center. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser. | |||||
| CVE-2023-40655 | 1 Mooj | 1 Proforms | 2023-12-19 | N/A | 6.1 MEDIUM |
| A reflected XSS vulnerability was discovered in the Proforms Basic component for Joomla. | |||||
| CVE-2023-49770 | 1 Petersplugins | 1 Smart External Link Click Monitor \[link Log\] | 2023-12-19 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Peter Raschendorfer Smart External Link Click Monitor [Link Log] allows Stored XSS.This issue affects Smart External Link Click Monitor [Link Log]: from n/a through 5.0.2. | |||||
| CVE-2023-40656 | 1 Plasma-web | 1 Quickform | 2023-12-19 | N/A | 6.1 MEDIUM |
| A reflected XSS vulnerability was discovered in the Quickform component for Joomla. | |||||
| CVE-2023-6365 | 1 Progress | 1 Whatsup Gold | 2023-12-19 | N/A | 5.4 MEDIUM |
| In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a device group. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser. | |||||
| CVE-2023-40659 | 1 Joomboost | 1 Easy Quick Contact | 2023-12-19 | N/A | 6.1 MEDIUM |
| A reflected XSS vulnerability was discovered in the Easy Quick Contact module for Joomla. | |||||
| CVE-2023-40658 | 1 Deconf | 1 Clicky Analytics Dashboard | 2023-12-19 | N/A | 6.1 MEDIUM |
| A reflected XSS vulnerability was discovered in the Clicky Analytics Dashboard module for Joomla. | |||||