Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22137 | 2024-01-13 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MailMunch Constant Contact Forms by MailMunch allows Stored XSS.This issue affects Constant Contact Forms by MailMunch: from n/a through 2.0.11. | |||||
| CVE-2024-22142 | 2024-01-13 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozmoslabs Profile Builder Pro allows Reflected XSS.This issue affects Profile Builder Pro: from n/a through 3.10.0. | |||||
| CVE-2023-6801 | 1 Themeisle | 1 Rss Aggregator By Feedzy | 2024-01-12 | N/A | 5.4 MEDIUM |
| The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-45992 | 1 Commscope | 1 Ruckus Cloudpath Enrollment System | 2024-01-12 | N/A | 9.6 CRITICAL |
| A vulnerability in the web-based interface of the RUCKUS Cloudpath product on version 5.12 build 5538 or before to could allow a remote, unauthenticated attacker to execute persistent XSS and CSRF attacks against a user of the admin management interface. A successful attack, combined with a certain admin activity, could allow the attacker to gain full admin privileges on the exploited system. | |||||
| CVE-2024-0467 | 2024-01-12 | N/A | N/A | ||
| A vulnerability, which was classified as problematic, was found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file edit_position_query.php. The manipulation of the argument pos_name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250572. | |||||
| CVE-2023-6148 | 1 Qualys | 1 Policy Compliance | 2024-01-12 | N/A | 5.4 MEDIUM |
| Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access and access to configure or edit jobs to utilize the plugin to configure a potential rouge endpoint via which it was possible to control response for certain request which could be injected with XSS payloads leading to XSS while processing the response data | |||||
| CVE-2024-0226 | 1 Synopsys | 1 Seeker | 2024-01-12 | N/A | 5.4 MEDIUM |
| Synopsys Seeker versions prior to 2023.12.0 are vulnerable to a stored cross-site scripting vulnerability through a specially crafted payload. | |||||
| CVE-2022-28975 | 1 Infoblox | 1 Nios | 2024-01-12 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Infoblox NIOS v8.5.2-409296 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the VLAN View Name field. | |||||
| CVE-2024-22370 | 1 Jetbrains | 1 Youtrack | 2024-01-12 | N/A | 5.4 MEDIUM |
| In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible | |||||
| CVE-2024-0343 | 1 Simple House Rental System Project | 1 Simple House Rental System | 2024-01-12 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic was found in CodeAstro Simple House Rental System 5.6. Affected by this vulnerability is an unknown functionality of the component Login Panel. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-250111. | |||||
| CVE-2023-51246 | 1 Get-simple | 1 Getsimplecms | 2024-01-12 | N/A | 5.4 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 exists when using Source Code Mode as a backend user to add articles via the /admin/edit.php page. | |||||
| CVE-2023-50982 | 1 Studip | 1 Stud.ip | 2024-01-12 | N/A | 9.0 CRITICAL |
| Stud.IP 5.x through 5.3.3 allows XSS with resultant upload of executable files, because upload_action and edit_action in Admin_SmileysController do not check the file extension. This leads to remote code execution with the privileges of the www-data user. The fixed versions are 5.3.4, 5.2.6, 5.1.7, and 5.0.9. | |||||
| CVE-2023-27739 | 1 Easyxdm | 1 Easyxdm | 2024-01-12 | N/A | 6.1 MEDIUM |
| easyXDM 2.5 allows XSS via the xdm_e parameter. | |||||
| CVE-2023-29052 | 1 Open-xchange | 1 Ox App Suite | 2024-01-12 | N/A | 5.4 MEDIUM |
| Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known. | |||||
| CVE-2023-29049 | 1 Open-xchange | 1 Ox App Suite | 2024-01-12 | N/A | 6.1 MEDIUM |
| The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known. | |||||
| CVE-2023-41710 | 1 Open-xchange | 1 Ox App Suite | 2024-01-12 | N/A | 5.4 MEDIUM |
| User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known. | |||||
| CVE-2024-0423 | 2024-01-12 | N/A | N/A | ||
| A vulnerability was found in CodeAstro Online Food Ordering System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file dishes.php. The manipulation of the argument res_id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-250442 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0422 | 2024-01-12 | N/A | N/A | ||
| A vulnerability was found in CodeAstro POS and Inventory Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /new_item of the component New Item Creation Page. The manipulation of the argument new_item leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250441 was assigned to this vulnerability. | |||||
| CVE-2022-4960 | 2024-01-12 | N/A | N/A | ||
| A vulnerability, which was classified as problematic, has been found in cloudfavorites favorites-web 1.3.0. Affected by this issue is some unknown functionality of the component Nickname Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-250238 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-22199 | 2024-01-12 | N/A | N/A | ||
| This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the execution of malicious scripts in users' browsers when visiting affected web pages. The vulnerability has been addressed, the template engine now defaults to having autoescape set to `true`, effectively mitigating the risk of XSS attacks. | |||||
| CVE-2022-4959 | 2024-01-12 | N/A | N/A | ||
| A vulnerability classified as problematic was found in qkmc-rk redbbs 1.0. Affected by this vulnerability is an unknown functionality of the component Nickname Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250237 was assigned to this vulnerability. | |||||
| CVE-2023-26449 | 1 Open-xchange | 1 Open-xchange Appsuite Frontend | 2024-01-12 | N/A | 5.4 MEDIUM |
| The "OX Chat" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known. | |||||
| CVE-2023-26450 | 1 Open-xchange | 1 Open-xchange Appsuite Frontend | 2024-01-12 | N/A | 5.4 MEDIUM |
| The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known. | |||||
| CVE-2023-26447 | 1 Open-xchange | 1 Open-xchange Appsuite Frontend | 2024-01-12 | N/A | 5.4 MEDIUM |
| The "upsell" widget for the portal allows to specify a product description. This description taken from a user-controllable jslob did not get escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content. No publicly available exploits are known. | |||||
| CVE-2023-26446 | 1 Open-xchange | 1 Open-xchange Appsuite Frontend | 2024-01-12 | N/A | 5.4 MEDIUM |
| The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the user-controllable clientID parameter. No publicly available exploits are known. | |||||
| CVE-2023-26456 | 1 Open-xchange | 1 Ox Guard | 2024-01-12 | N/A | 5.4 MEDIUM |
| Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known. | |||||
| CVE-2023-26445 | 1 Open-xchange | 1 Open-xchange Appsuite Frontend | 2024-01-12 | N/A | 5.4 MEDIUM |
| Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the theme value and use a default fallback if no theme matches. No publicly available exploits are known. | |||||
| CVE-2023-26448 | 1 Open-xchange | 1 Open-xchange Appsuite Frontend | 2024-01-12 | N/A | 5.4 MEDIUM |
| Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content for those locations to avoid redirects to malicious content. No publicly available exploits are known. | |||||
| CVE-2023-29044 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-01-12 | N/A | 5.4 MEDIUM |
| Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now get escaped to avoid code execution. No publicly available exploits are known. | |||||
| CVE-2023-29043 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-01-12 | N/A | 6.1 MEDIUM |
| Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document. Script code embedded in malicious documents could be executed in the context of the user editing the document when performing certain actions, like copying content. The relevant attribute does now get encoded to avoid the possibility of executing script code. No publicly available exploits are known. | |||||
| CVE-2023-29045 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-01-12 | N/A | 5.4 MEDIUM |
| Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now gets checked for validity to avoid code execution. No publicly available exploits are known. | |||||
| CVE-2023-6594 | 1 Maxfoundry | 1 Maxbuttons | 2024-01-11 | N/A | 4.8 MEDIUM |
| The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Administrators can give button creation privileges to users with lower levels (contributor+) which would allow those lower-privileged users to carry out attacks. | |||||
| CVE-2023-27000 | 1 Netscout | 1 Ngeniusone | 2024-01-11 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability found in NetScoutnGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code via the name parameter of the Profile and Exclusion List page(s). | |||||
| CVE-2024-21738 | 1 Sap | 1 Netweaver Application Server Abap | 2024-01-11 | N/A | 5.4 MEDIUM |
| SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation. | |||||
| CVE-2023-7027 | 1 Wpexperts | 1 Post Smtp | 2024-01-11 | N/A | 5.4 MEDIUM |
| The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-52196 | 1 Ewels | 1 Cpt Bootstrap Carousel | 2024-01-11 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Phil Ewels CPT Bootstrap Carousel allows Reflected XSS.This issue affects CPT Bootstrap Carousel: from n/a through 1.12. | |||||
| CVE-2023-52265 | 1 Idurar Project | 1 Idurar | 2024-01-11 | N/A | 5.4 MEDIUM |
| IDURAR (aka idurar-erp-crm) through 2.0.1 allows stored XSS via a PATCH request with a crafted JSON email template in the /api/email/update data. | |||||
| CVE-2023-52198 | 1 Michielvaneerd | 1 Private Google Calendars | 2024-01-11 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michiel van Eerd Private Google Calendars allows Stored XSS.This issue affects Private Google Calendars: from n/a through 20231125. | |||||
| CVE-2023-52197 | 1 Impactpixel | 1 Ads Invalid Click Protection | 2024-01-11 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Impactpixel Ads Invalid Click Protection allows Stored XSS.This issue affects Ads Invalid Click Protection: from n/a through 1.0. | |||||
| CVE-2023-26998 | 1 Netscout | 1 Ngeniusone | 2024-01-11 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability found in NetScoutnGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code via the creator parameter of the Alert Configuration page. | |||||
| CVE-2023-6529 | 1 Coderex | 1 Wp Vr | 2024-01-11 | N/A | 6.1 MEDIUM |
| The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admin_init, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities. | |||||
| CVE-2023-6627 | 1 Codecabin | 1 Wp Go Maps | 2024-01-11 | N/A | 6.1 MEDIUM |
| The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site. | |||||
| CVE-2023-6555 | 1 I13websolution | 1 Email Subscription Popup | 2024-01-11 | N/A | 6.1 MEDIUM |
| The Email Subscription Popup WordPress plugin before 1.2.20 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-52213 | 1 Videowhisper | 1 Rate Star Review | 2024-01-11 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VideoWhisper Rate Star Review – AJAX Reviews for Content, with Star Ratings allows Reflected XSS.This issue affects Rate Star Review – AJAX Reviews for Content, with Star Ratings: from n/a through 1.5.1. | |||||
| CVE-2023-52203 | 1 Cformsii Project | 1 Cformsii | 2024-01-11 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Oliver Seidel, Bastian Germann cformsII allows Stored XSS.This issue affects cformsII: from n/a through 15.0.5. | |||||
| CVE-2023-6161 | 1 Themeum | 1 Wp Crowdfunding | 2024-01-11 | N/A | 6.1 MEDIUM |
| The WP Crowdfunding WordPress plugin before 2.1.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-6141 | 1 G5plus | 1 Essential Real Estate | 2024-01-11 | N/A | 5.4 MEDIUM |
| The Essential Real Estate WordPress plugin before 4.4.0 does not apply proper capability checks on its AJAX actions, which among other things, allow attackers with a subscriber account to conduct Stored XSS attacks. | |||||
| CVE-2023-5911 | 1 Hamidrezasepehr | 1 Wp Custom Cursors \| Wordpress Cursor Plugin | 2024-01-11 | N/A | 4.8 MEDIUM |
| The WP Custom Cursors | WordPress Cursor Plugin WordPress plugin through 3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-21745 | 1 Laybuy | 1 Laybuy Payment Extension For Woocommerce | 2024-01-11 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Laybuy Laybuy Payment Extension for WooCommerce allows Stored XSS.This issue affects Laybuy Payment Extension for WooCommerce: from n/a through 5.3.9. | |||||
| CVE-2024-21744 | 1 Mapster | 1 Mapster Wp Maps | 2024-01-11 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mapster Technology Inc. Mapster WP Maps allows Stored XSS.This issue affects Mapster WP Maps: from n/a through 1.2.38. | |||||