Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-47850 | 1 Peepso | 1 Peepso | 2023-12-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PeepSo Community by PeepSo – Social Network, Membership, Registration, User Profiles allows Stored XSS.This issue affects Community by PeepSo – Social Network, Membership, Registration, User Profiles: from n/a through 6.2.2.0. | |||||
| CVE-2023-44383 | 1 Octobercms | 1 October | 2023-12-05 | N/A | 5.4 MEDIUM |
| October is a Content Management System (CMS) and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This issue has been patched in version 3.5.2. | |||||
| CVE-2023-47777 | 1 Automattic | 2 Woocommerce, Woocommerce Blocks | 2023-12-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1. | |||||
| CVE-2023-49077 | 1 Mailcow | 1 Mailcow\ | 2023-12-05 | N/A | 6.1 MEDIUM |
| Mailcow: dockerized is an open source groupware/email suite based on docker. A Cross-Site Scripting (XSS) vulnerability has been identified within the Quarantine UI of the system. This vulnerability poses a significant threat to administrators who utilize the Quarantine feature. An attacker can send a carefully crafted email containing malicious JavaScript code. This issue has been patched in version 2023-11. | |||||
| CVE-2023-6217 | 1 Progress | 1 Moveit Transfer | 2023-12-05 | N/A | 6.1 MEDIUM |
| In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer. An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser. | |||||
| CVE-2023-48882 | 1 Eyoucms | 1 Eyoucms | 2023-12-05 | N/A | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Document Properties field at /login.php m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn. | |||||
| CVE-2023-48881 | 1 Eyoucms | 1 Eyoucms | 2023-12-05 | N/A | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field Title field at /login.php?m=admin&c=Field&a=arctype_add&_ajax=1&lang=cn. | |||||
| CVE-2023-48880 | 1 Eyoucms | 1 Eyoucms | 2023-12-05 | N/A | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Menu Name field at /login.php?m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn. | |||||
| CVE-2023-49090 | 1 Carrierwave Project | 1 Carrierwave | 2023-12-05 | N/A | 6.1 MEDIUM |
| CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5. | |||||
| CVE-2023-43015 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2023-12-04 | N/A | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 266064. | |||||
| CVE-2023-42009 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2023-12-04 | N/A | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 265504. | |||||
| CVE-2023-42022 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2023-12-04 | N/A | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 265938. | |||||
| CVE-2023-46174 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2023-12-04 | N/A | 5.4 MEDIUM |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 269506. | |||||
| CVE-2023-35139 | 1 Zyxel | 20 Atp100, Atp100w, Atp200 and 17 more | 2023-12-04 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the CGI program of the Zyxel ATP series firmware versions 5.10 through 5.37, USG FLEX series firmware versions 5.00 through 5.37, USG FLEX 50(W) series firmware versions 5.10 through 5.37, USG20(W)-VPN series firmware versions 5.10 through 5.37, and VPN series firmware versions 5.00 through 5.37, could allow an unauthenticated LAN-based attacker to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed to steal cookies when the user visits the specific CGI used for dumping ZTP logs. | |||||
| CVE-2023-49078 | 1 Zediious | 1 Raptor-web | 2023-12-04 | N/A | 6.1 MEDIUM |
| raptor-web is a CMS for game server communities that can be used to host information and keep track of players. In version 0.4.4 of raptor-web, it is possible to craft a malicious URL that will result in a reflected cross-site scripting vulnerability. A user controlled URL parameter is loaded into an internal template that has autoescape disabled. This is a cross-site scripting vulnerability that affects all deployments of `raptor-web` on version `0.4.4`. Any victim who clicks on a malicious crafted link will be affected. This issue has been patched 0.4.4.1. | |||||
| CVE-2023-6225 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2023-12-04 | N/A | 5.4 MEDIUM |
| The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_meta shortcode combined with post meta data in all versions up to, and including, 5.13.3 due to insufficient input sanitization and output escaping on user supplied meta values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-4220 | 1 Chamilo | 1 Chamilo Lms | 2023-12-04 | N/A | 6.1 MEDIUM |
| Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell. | |||||
| CVE-2023-5653 | 1 Wassup Real Time Analytics Project | 1 Wassup Real Time Analytics | 2023-12-04 | N/A | 6.1 MEDIUM |
| The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 does not escape IP address provided via some headers before outputting them back in an admin page, allowing unauthenticated users to perform Stored XSS attacks against logged in admins | |||||
| CVE-2023-5605 | 1 Kaizencoders | 1 Url Shortify | 2023-12-04 | N/A | 4.8 MEDIUM |
| The URL Shortify WordPress plugin before 1.7.9.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-6431 | 1 Bigprof | 1 Online Invoicing System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/categories_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6428 | 1 Bigprof | 1 Online Invoicing System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/items_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6427 | 1 Bigprof | 1 Online Invoicing System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/invoices_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6430 | 1 Bigprof | 1 Online Invoicing System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/transactions_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6423 | 1 Bigprof | 1 Online Clinic Management System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/events_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6420 | 1 Aatifaneeq | 1 Voovi | 2023-12-02 | N/A | 6.1 MEDIUM |
| A vulnerability has been reported in Voovi Social Networking Script version 1.0 that allows a XSS via signup2.php in the emailadd parameter, the exploitation of which could allow a remote attacker to send a specially crafted JavaScript payload and partially take over the browser session of an authenticated user. | |||||
| CVE-2023-6432 | 1 Bigprof | 1 Online Invoicing System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/items_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6424 | 1 Bigprof | 1 Online Clinic Management System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/disease_symptoms_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6429 | 1 Bigprof | 1 Online Invoicing System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/clients_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6426 | 1 Bigprof | 1 Online Invoicing System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /invoicing/app/invoices_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6422 | 1 Bigprof | 1 Online Clinic Management System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/patients_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6425 | 1 Bigprof | 1 Online Clinic Management System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/medical_records_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6419 | 1 Aatifaneeq | 1 Voovi | 2023-12-02 | N/A | 6.1 MEDIUM |
| A vulnerability has been reported in Voovi Social Networking Script version 1.0 that allows a XSS via editprofile.php in multiple parameters, the exploitation of which could allow a remote attacker to send a specially crafted JavaScript payload and partially take over the browser session of an authenticated user. | |||||
| CVE-2023-6433 | 1 Bigprof | 1 Online Invoicing System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/suppliers_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6434 | 1 Bigprof | 1 Online Invoicing System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/sections_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-6435 | 1 Bigprof | 1 Online Invoicing System | 2023-12-02 | N/A | 5.4 MEDIUM |
| A vulnerability has been discovered in BigProf Online Invoicing System 2.6, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /inventory/batches_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | |||||
| CVE-2023-5620 | 1 Webpushr | 1 Web Push Notifications | 2023-12-02 | N/A | 5.4 MEDIUM |
| The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks. | |||||
| CVE-2023-5738 | 1 Webtoffee | 1 Backup And Migration | 2023-12-02 | N/A | 5.4 MEDIUM |
| The WordPress Backup & Migration WordPress plugin before 1.4.4 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks. | |||||
| CVE-2023-5958 | 1 Wpexperts | 1 Post Smtp Mailer | 2023-12-02 | N/A | 6.1 MEDIUM |
| The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users. | |||||
| CVE-2023-47831 | 1 Assortedchips | 1 Drawit | 2023-12-02 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in assorted[chips] DrawIt (draw.Io) plugin <= 1.1.3 versions. | |||||
| CVE-2023-2707 | 1 Gappointments | 1 Gappointments | 2023-12-02 | N/A | 4.8 MEDIUM |
| The gAppointments WordPress plugin through 1.9.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2022-27913 | 1 Joomla | 1 Joomla\! | 2023-12-02 | N/A | 6.1 MEDIUM |
| An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in various components. | |||||
| CVE-2022-27914 | 1 Joomla | 1 Joomla\! | 2023-12-02 | N/A | 6.1 MEDIUM |
| An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate filtering of potentially malicious user input leads to reflected XSS vulnerabilities in com_media. | |||||
| CVE-2023-39971 | 1 Acymailing | 1 Acymailing | 2023-12-02 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation vulnerability in AcyMailing Enterprise component for Joomla allows XSS. This issue affects AcyMailing Enterprise component for Joomla: 6.7.0-8.6.3. | |||||
| CVE-2023-47755 | 1 Aazztech | 1 Woocommerce Product Carousel Slider | 2023-12-02 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AazzTech WooCommerce Product Carousel Slider plugin <= 3.3.5 versions. | |||||
| CVE-2023-5708 | 1 Wp Post Columns Project | 1 Wp Post Columns | 2023-12-02 | N/A | 5.4 MEDIUM |
| The WP Post Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'column' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5706 | 1 Vektor-inc | 1 Vk Blocks | 2023-12-02 | N/A | 5.4 MEDIUM |
| The VK Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vk-blocks/ancestor-page-list' block in all versions up to, and including, 1.63.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2014-125096 | 1 Fancy Gallery Project | 1 Fancy Gallery | 2023-12-01 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Fancy Gallery Plugin 1.5.12 on WordPress. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file class.options.php of the component Options Page. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.5.13 is able to address this issue. The identifier of the patch is fdf1f9e5a1ec738900f962e69c6fa4ec6055ed8d. It is recommended to upgrade the affected component. The identifier VDB-225349 was assigned to this vulnerability. | |||||
| CVE-2014-125095 | 1 Bestwebsoft | 1 Contact Form | 2023-12-01 | N/A | 6.1 MEDIUM |
| A vulnerability was found in BestWebSoft Contact Form Plugin 1.3.4 on WordPress and classified as problematic. Affected by this issue is the function bws_add_menu_render of the file bws_menu/bws_menu.php. The manipulation of the argument bwsmn_form_email leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.3.7 is able to address this issue. The name of the patch is 4d531f74b4a801c805dc80360d4ea1312e9a278f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-225320. | |||||
| CVE-2017-20155 | 1 Sterc | 1 Google Analytics Dashboard For Modx | 2023-12-01 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Sterc Google Analytics Dashboard for MODX up to 1.0.5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file core/components/analyticsdashboardwidget/elements/tpl/widget.analytics.tpl of the component Internal Search. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.0.6 is able to address this issue. The identifier of the patch is 855d9560d3782c105568eedf9b22a769fbf29cc0. It is recommended to upgrade the affected component. The identifier VDB-217069 was assigned to this vulnerability. | |||||
| CVE-2023-49145 | 1 Apache | 1 Nifi | 2023-12-01 | N/A | 5.4 MEDIUM |
| Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, then arbitrary JavaScript code can be executed within the session context of the authenticated user. Upgrading to Apache NiFi 1.24.0 or 2.0.0-M1 is the recommended mitigation. | |||||