Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5880 | 1 Geniecompany | 2 Aladdin Connect Garage Door Opener, Aladdin Connect Garage Door Opener Firmware | 2024-01-11 | N/A | 8.8 HIGH |
| When the Genie Company Aladdin Connect garage door opener (Retrofit-Kit Model ALDCM) is placed into configuration mode the web servers “Garage Door Control Module Setup” page is vulnerable to XSS via a broadcast SSID name containing malicious code with client side Java Script and/or HTML. This allows the attacker to inject malicious code with client side Java Script and/or HTML into the users' web browser. | |||||
| CVE-2023-7215 | 1 Chanzhaoyu | 1 Chatgpt Web | 2024-01-11 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in Chanzhaoyu chatgpt-web 2.11.1. This issue affects some unknown processing. The manipulation of the argument Description with the input <image src onerror=prompt(document.domain)> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249779. | |||||
| CVE-2024-0266 | 1 Yugeshverma | 1 Online Lawyer Management System | 2024-01-11 | N/A | 5.4 MEDIUM |
| A vulnerability classified as problematic has been found in Project Worlds Online Lawyer Management System 1.0. Affected is an unknown function of the component User Registration. The manipulation of the argument First Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249822 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0286 | 1 Phpgurukul | 1 Hospital Management System | 2024-01-11 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in PHPGurukul Hospital Management System 1.0. This affects an unknown part of the file index.php#contact_us of the component Contact Form. The manipulation of the argument Name/Email/Message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249843. | |||||
| CVE-2024-22048 | 1 Gov.uk | 1 Govuk Tech Docs | 2024-01-11 | N/A | 6.1 MEDIUM |
| govuk_tech_docs versions from 2.0.2 to before 3.3.1 are vulnerable to a cross-site scripting vulnerability. Malicious JavaScript may be executed in the user's browser if a malicious search result is displayed on the search page. | |||||
| CVE-2024-0246 | 1 Icewarp | 1 Icewarp | 2024-01-11 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in IceWarp 12.0.2.1/12.0.3.1. This affects an unknown part of the file /install/ of the component Utility Download Handler. The manipulation of the argument lang with the input 1%27"()%26%25<zzz><ScRiPt>alert(document.domain)</ScRiPt> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249759. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-50609 | 1 Ava | 1 Teaching Video Application Service Platform | 2024-01-11 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in AVA teaching video application service platform version 3.1, allows remote attackers to execute arbitrary code via a crafted script to ajax.aspx. | |||||
| CVE-2023-52178 | 1 Mojofywp | 1 Wp Affiliate Disclosure | 2024-01-11 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MojofyWP WP Affiliate Disclosure allows Stored XSS.This issue affects WP Affiliate Disclosure: from n/a through 1.2.7. | |||||
| CVE-2024-21637 | 2024-01-11 | N/A | N/A | ||
| Authentik is an open-source Identity Provider. Authentik is a vulnerable to a reflected Cross-Site Scripting vulnerability via JavaScript-URIs in OpenID Connect flows with `response_mode=form_post`. This relatively user could use the described attacks to perform a privilege escalation. This vulnerability has been patched in versions 2023.10.6 and 2023.8.6. | |||||
| CVE-2022-4958 | 2024-01-11 | N/A | N/A | ||
| A vulnerability classified as problematic has been found in qkmc-rk redbbs 1.0. Affected is an unknown function of the component Post Handler. The manipulation of the argument title leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250236. | |||||
| CVE-2023-47559 | 1 Qnap | 1 Qumagie | 2024-01-11 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: QuMagie 2.2.1 and later | |||||
| CVE-2023-3726 | 1 Ocsinventory-ng | 1 Ocsinventory-ocsreports | 2024-01-11 | N/A | 6.9 MEDIUM |
| OCSInventory allow stored email template with special characters that lead to a Stored cross-site Scripting. | |||||
| CVE-2022-0834 | 1 Wpamelia | 1 Amelia | 2024-01-11 | 3.5 LOW | 5.4 MEDIUM |
| The Amelia WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the lastName parameter found in the ~/src/Application/Controller/User/Customer/AddCustomerController.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user accesses the booking calendar with the date the attacker has injected the malicious payload into. This affects versions up to and including 1.0.46. | |||||
| CVE-2022-0889 | 1 Ninjaforms | 1 Ninja Forms File Uploads | 2024-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to reflected cross-site scripting due to missing sanitization of the files filename parameter found in the ~/includes/ajax/controllers/uploads.php file which can be used by unauthenticated attackers to add malicious web scripts to vulnerable WordPress sites, in versions up to and including 3.3.12. | |||||
| CVE-2020-24704 | 1 Wso2 | 9 Api Manager, Api Manager Analytics, Api Microgateway and 6 more | 2024-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1. | |||||
| CVE-2020-17453 | 1 Wso2 | 8 Api Manager, Api Manager Analytics, Api Microgateway and 5 more | 2024-01-11 | 4.3 MEDIUM | 6.1 MEDIUM |
| WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter. | |||||
| CVE-2024-0262 | 1 Projectworlds | 1 Online Job Portal | 2024-01-10 | N/A | 4.8 MEDIUM |
| A vulnerability was found in Online Job Portal 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /Admin/News.php of the component Create News Page. The manipulation of the argument News with the input </title><scRipt>alert(0x00C57D)</scRipt> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249818 is the identifier assigned to this vulnerability. | |||||
| CVE-2016-10963 | 1 Icegram | 1 Icegram Engage | 2024-01-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| The icegram plugin before 1.9.19 for WordPress has XSS. | |||||
| CVE-2021-36832 | 1 Icegram | 1 Icegram Engage | 2024-01-10 | 3.5 LOW | 5.4 MEDIUM |
| WordPress Popups, Welcome Bar, Optins and Lead Generation Plugin – Icegram (versions <= 2.0.2) vulnerable at "Headline" (&message_data[16][headline]) input. | |||||
| CVE-2019-15830 | 1 Icegram | 1 Icegram Engage | 2024-01-10 | 3.5 LOW | 5.4 MEDIUM |
| The icegram plugin before 1.10.29 for WordPress has ig_cat_list XSS. | |||||
| CVE-2023-6498 | 1 Really-simple-plugins | 1 Complianz | 2024-01-10 | N/A | 4.8 MEDIUM |
| The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 6.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2023-6986 | 1 Wpdeveloper | 1 Embedpress | 2024-01-10 | N/A | 5.4 MEDIUM |
| The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's embed_oembed_html shortcode in all versions up to 3.9.5 (exclusive) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-6738 | 1 Pagelayer | 1 Pagelayer | 2024-01-10 | N/A | 5.4 MEDIUM |
| The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pagelayer_header_code', 'pagelayer_body_open_code', and 'pagelayer_footer_code' meta fields in all versions up to, and including, 1.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This appears to be a reintroduction of a vulnerability patched in version 1.7.7. | |||||
| CVE-2023-6747 | 1 Fooplugins | 1 Foogallery | 2024-01-10 | N/A | 5.4 MEDIUM |
| The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attributes in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping. This makes it possible for contributors and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-52322 | 1 Spip | 1 Spip | 2024-01-10 | N/A | 6.1 MEDIUM |
| ecrire/public/assembler.php in SPIP before 4.1.3 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics. | |||||
| CVE-2023-50630 | 1 Teamwork Management System Project | 1 Teamwork Management System | 2024-01-10 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in xiweicheng TMS v.2.28.0 allows a remote attacker to execute arbitrary code via a crafted script to the click here function. | |||||
| CVE-2023-7044 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2024-01-10 | N/A | 5.4 MEDIUM |
| The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom ID in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access and higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-21636 | 1 Viewcomponent | 1 View Component | 2024-01-10 | N/A | 6.1 MEDIUM |
| view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`. | |||||
| CVE-2024-22075 | 1 Firefly-iii | 1 Firefly Iii | 2024-01-10 | N/A | 6.1 MEDIUM |
| Firefly III (aka firefly-iii) before 6.1.1 allows webhooks HTML Injection. | |||||
| CVE-2024-0310 | 2024-01-10 | N/A | N/A | ||
| A content-security-policy vulnerability in ENS Control browser extension prior to 10.7.0 Update 15 allows a remote attacker to alter the response header parameter setting to switch the content security policy into report-only mode, allowing an attacker to bypass the content-security-policy configuration. | |||||
| CVE-2023-6980 | 1 Veronalabs | 1 Wp Sms | 2024-01-10 | N/A | 4.3 MEDIUM |
| The WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5. This is due to missing or incorrect nonce validation on the 'delete' action of the wp-sms-subscribers page. This makes it possible for unauthenticated attackers to delete subscribers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-52124 | 1 Shapedplugin | 1 Wp Tabs | 2024-01-10 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShapedPlugin LLC WP Tabs – Responsive Tabs Plugin for WordPress allows Stored XSS.This issue affects WP Tabs – Responsive Tabs Plugin for WordPress: from n/a through 2.2.0. | |||||
| CVE-2023-52125 | 1 Iframe Project | 1 Iframe | 2024-01-10 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webvitaly iframe allows Stored XSS.This issue affects iframe: from n/a through 4.8. | |||||
| CVE-2023-44796 | 1 Limesurvey | 1 Limesurvey | 2024-01-10 | N/A | 5.4 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in LimeSurvey before version 6.2.9-230925 allows a remote attacker to escalate privileges via a crafted script to the _generaloptions_panel.php component. | |||||
| CVE-2024-0345 | 2024-01-10 | N/A | N/A | ||
| A vulnerability, which was classified as problematic, was found in CodeAstro Vehicle Booking System 1.0. This affects an unknown part of the file usr/usr-register.php of the component User Registration. The manipulation of the argument Full_Name/Last_Name/Address with the input <script>alert(document.cookie)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250113 was assigned to this vulnerability. | |||||
| CVE-2023-6600 | 1 Daan | 1 Omgf | 2024-01-10 | N/A | 5.4 MEDIUM |
| The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init in all versions up to, and including, 5.7.9. This makes it possible for unauthenticated attackers to update the plugin's settings which can be used to inject Cross-Site Scripting payloads and delete entire directories. PLease note there were several attempted patched, and we consider 5.7.10 to be the most sufficiently patched. | |||||
| CVE-2023-6524 | 1 Mappresspro | 1 Mappress | 2024-01-09 | N/A | 5.4 MEDIUM |
| The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the map title parameter in all versions up to and including 2.88.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-6629 | 1 Wpexperts | 1 Post Smtp | 2024-01-09 | N/A | 6.1 MEDIUM |
| The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2023-50092 | 1 Apiida | 1 Api Gateway Manager | 2024-01-09 | N/A | 6.1 MEDIUM |
| APIIDA API Gateway Manager for Broadcom Layer7 v2023.2 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2023-6621 | 1 Wpexperts | 1 Post Smtp | 2024-01-09 | N/A | 6.1 MEDIUM |
| The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2018-25097 | 1 Acumos | 1 Design Studio | 2024-01-09 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Acumos Design Studio up to 2.0.7. Affected is an unknown function. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.0.8 is able to address this issue. The name of the patch is 0df8a5e8722188744973168648e4c74c69ce67fd. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-249420. | |||||
| CVE-2017-20188 | 1 Zimbra | 1 Zm-ajax | 2024-01-09 | N/A | 4.7 MEDIUM |
| A vulnerability has been found in Zimbra zm-ajax up to 8.8.1 and classified as problematic. Affected by this vulnerability is the function XFormItem.prototype.setError of the file WebRoot/js/ajax/dwt/xforms/XFormItem.js. The manipulation of the argument message leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 8.8.2 is able to address this issue. The identifier of the patch is 8d039d6efe80780adc40c6f670c06d21de272105. It is recommended to upgrade the affected component. The identifier VDB-249421 was assigned to this vulnerability. | |||||
| CVE-2015-10128 | 1 Royaltechbd | 1 Royal Prettyphoto | 2024-01-09 | N/A | 6.1 MEDIUM |
| A vulnerability was found in rt-prettyphoto Plugin up to 1.2 on WordPress and classified as problematic. Affected by this issue is the function royal_prettyphoto_plugin_links of the file rt-prettyphoto.php. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.3 is able to address this issue. The patch is identified as 0d3d38cfa487481b66869e4212df1cefc281ecb7. It is recommended to upgrade the affected component. VDB-249422 is the identifier assigned to this vulnerability. | |||||
| CVE-2019-19293 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The web interface of the Control Center Server (CCS) contains a reflected Cross-site Scripting (XSS) vulnerability that could allow an unauthenticated remote attacker to steal sensitive data or execute administrative actions on behalf of a legitimate administrator of the CCS web interface. | |||||
| CVE-2023-46282 | 1 Siemens | 4 Opcenter Quality, Simatic Pcs Neo, Sinumerik Integrate Runmyhmi \/automotive and 1 more | 2024-01-09 | N/A | 6.1 MEDIUM |
| A vulnerability has been identified in Opcenter Quality (All versions), SIMATIC PCS neo (All versions < V4.1), SINUMERIK Integrate RunMyHMI /Automotive (All versions), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 7), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the affected applications that could allow an attacker to inject arbitrary JavaScript code. The code could be potentially executed later by another (possibly privileged) user. | |||||
| CVE-2019-19294 | 1 Siemens | 2 Sinvr 3 Central Control Server, Sinvr 3 Video Server | 2024-01-09 | 3.5 LOW | 6.3 MEDIUM |
| A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The web interface of the Control Center Server (CCS) contains multiple stored Cross-site Scripting (XSS) vulnerabilities in several input fields. This could allow an authenticated remote attacker to inject malicious JavaScript code into the CCS web application that is later executed in the browser context of any other user who views the relevant CCS web content. | |||||
| CVE-2020-24706 | 1 Wso2 | 6 Api Manager, Api Manager Analytics, Identity Server and 3 more | 2024-01-09 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0. | |||||
| CVE-2022-28133 | 1 Jenkins | 1 Bitbucket Server Integration | 2024-01-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Bitbucket Server Integration Plugin 3.1.0 and earlier does not limit URL schemes for callback URLs on OAuth consumers, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create BitBucket Server consumers. | |||||
| CVE-2022-47928 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-01-09 | N/A | 6.1 MEDIUM |
| In MISP before 2.4.167, there is XSS in the template file uploads in app/View/Templates/upload_file.ctp. | |||||
| CVE-2023-28884 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-01-09 | N/A | 6.1 MEDIUM |
| In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index. | |||||