Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-49029 | 1 Smpn1smg | 1 Absis | 2023-12-01 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the nama parameter in the lock/lock.php file. | |||||
| CVE-2023-47437 | 1 Pachno | 1 Pachno | 2023-12-01 | N/A | 5.4 MEDIUM |
| A vulnerability has been identified in Pachno 1.0.6 allowing an authenticated attacker to execute a cross-site scripting (XSS) attack. The vulnerability exists due to inadequate input validation in the Project Description and comments, which enables an attacker to inject malicious java script. | |||||
| CVE-2023-5209 | 1 Booking-wp-plugin | 1 Bookly | 2023-12-01 | N/A | 4.8 MEDIUM |
| The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-43701 | 1 Apache | 1 Superset | 2023-12-01 | N/A | 5.4 MEDIUM |
| Improper payload validation and an improper REST API response type, made it possible for an authenticated malicious actor to store malicious code into Chart's metadata, this code could get executed if a user specifically accesses a specific deprecated API endpoint. This issue affects Apache Superset versions prior to 2.1.2. Users are recommended to upgrade to version 2.1.2, which fixes this issue. | |||||
| CVE-2023-6164 | 1 Mainwp | 1 Mainwp | 2023-12-01 | N/A | 4.8 MEDIUM |
| The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags. | |||||
| CVE-2012-5053 | 1 Trimble | 7 Infrastructure Gnss Series Receiver Firmware, Infrastructure Gnss Series Receiver Netr3, Infrastructure Gnss Series Receiver Netr5 and 4 more | 2023-12-01 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Receiver Web User Interface on Trimble Infrastructure GNSS Series Receivers NetR3, NetR5, NetR8, and NetR9 before 4.70, and NetRS before 1.3-2, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2023-47380 | 1 Admidio | 1 Admidio | 2023-12-01 | N/A | 6.1 MEDIUM |
| Admidio v4.2.12 and below is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2023-47314 | 1 H-mdm | 1 Headwind Mdm | 2023-11-30 | N/A | 5.4 MEDIUM |
| Headwind MDM Web panel 5.22.1 is vulnerable to cross-site scripting (XSS). The file upload function allows APK and arbitrary files to be uploaded. By exploiting this issue, attackers may upload HTML files and share the download URL pointing to these files with the victims. As the file download function returns the file in inline mode, the victim’s browser will immediately render the content of the HTML file as a web page. As a result, the uploaded client-side code will be evaluated and executed in the victim’s browser, allowing attackers to perform common XSS attacks. | |||||
| CVE-2023-6297 | 1 Phpgurukul | 1 Nipah Virus Testing Management System | 2023-11-30 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in PHPGurukul Nipah Virus Testing Management System 1.0. This affects an unknown part of the file patient-search-report.php of the component Search Report Page. The manipulation of the argument Search By Patient Name with the input <script>alert(document.cookie)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246123. | |||||
| CVE-2023-48042 | 1 Communitydeveloper | 1 Amazzing Filter | 2023-11-30 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) in Search filters in Prestashop Amazzing filter version up to version 3.2.5, allows remote attackers to inject arbitrary JavaScript code. | |||||
| CVE-2023-6359 | 1 Grupoalumne | 1 Alumne Lms | 2023-11-30 | N/A | 6.1 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the 'localidad' parameter to inject a custom JavaScript payload and partially take over another user's browser session, due to the lack of proper sanitisation of the 'localidad' field on the /users/editmy page. | |||||
| CVE-2023-5560 | 1 Lesterchan | 1 Wp-useronline | 2023-11-30 | N/A | 6.1 MEDIUM |
| The WP-UserOnline WordPress plugin before 2.88.3 does not sanitise and escape the X-Forwarded-For header before outputting its content on the page, which allows unauthenticated users to perform Cross-Site Scripting attacks. | |||||
| CVE-2023-5325 | 1 Levantoan | 1 Woocommerce Vietnam Checkout | 2023-11-30 | N/A | 6.1 MEDIUM |
| The Woocommerce Vietnam Checkout WordPress plugin before 2.0.6 does not escape the custom shipping phone field no the checkout form leading to XSS | |||||
| CVE-2023-6303 | 1 Cskaza | 1 Cszcms | 2023-11-30 | N/A | 4.8 MEDIUM |
| A vulnerability was found in CSZCMS 1.3.0. It has been classified as problematic. This affects an unknown part of the file /admin/settings/ of the component Site Settings Page. The manipulation of the argument Additional Meta Tag with the input <svg><animate onbegin=alert(1) attributeName=x dur=1s> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-246129 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-6313 | 1 Url Shortener Project | 1 Url Shortener | 2023-11-30 | N/A | 6.1 MEDIUM |
| A vulnerability was found in SourceCodester URL Shortener 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Long URL Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246139. | |||||
| CVE-2022-25189 | 1 Jenkins | 1 Custom Checkbox Parameter | 2023-11-30 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Custom Checkbox Parameter Plugin 1.1 and earlier does not escape parameter names of custom checkbox parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2023-25835 | 1 Esri | 1 Portal For Arcgis | 2023-11-30 | N/A | 4.8 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in the site configuration which when clicked could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. | |||||
| CVE-2023-25837 | 1 Esri | 1 Portal For Arcgis | 2023-11-30 | N/A | 4.8 MEDIUM |
| There is a Cross-site Scripting vulnerability in Esri ArcGIS Enterprise Sites versions 10.8.1 – 10.9 that may allow a remote, authenticated attacker to create a crafted link which when clicked by a victim could potentially execute arbitrary JavaScript code in the target's browser. The privileges required to execute this attack are high. | |||||
| CVE-2023-38883 | 1 Os4ed | 1 Opensis | 2023-11-30 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'ajax' parameter in 'ParentLookup.php'. | |||||
| CVE-2023-38882 | 1 Os4ed | 1 Opensis | 2023-11-30 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'include' parameter in 'ForExport.php' | |||||
| CVE-2023-38881 | 1 Os4ed | 1 Opensis | 2023-11-30 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in the Community Edition version 9.0 of OS4ED's openSIS Classic allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into any of the 'calendar_id', 'school_date', 'month' or 'year' parameters in 'CalendarModal.php'. | |||||
| CVE-2023-6011 | 1 Dece | 1 Geodi | 2023-11-30 | N/A | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DECE Software Geodi allows Stored XSS.This issue affects Geodi: before 8.0.0.27396. | |||||
| CVE-2020-35438 | 1 Kamalkhan | 1 Kk Star Ratings | 2023-11-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the kk Star Ratings plugin before 4.1.5. | |||||
| CVE-2022-46843 | 1 Levantoan | 1 Woocommerce Vietnam Checkout | 2023-11-30 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Le Van Toan Woocommerce Vietnam Checkout plugin <= 2.0.4 versions. | |||||
| CVE-2023-5942 | 1 Drelton | 1 Medialist | 2023-11-30 | N/A | 5.4 MEDIUM |
| The Medialist WordPress plugin before 1.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-6300 | 1 Mayurik | 1 Best Courier Management System | 2023-11-30 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Best Courier Management System 1.0. Affected is an unknown function. The manipulation of the argument page with the input </TiTlE><ScRiPt>alert(1)</ScRiPt> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-246126 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-6301 | 1 Mayurik | 1 Best Courier Management System | 2023-11-30 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in SourceCodester Best Courier Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file parcel_list.php of the component GET Parameter Handler. The manipulation of the argument id with the input </TiTlE><ScRiPt>alert(1)</ScRiPt> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246127. | |||||
| CVE-2023-4514 | 1 Mediamanifesto | 1 Mmm Simple File List | 2023-11-30 | N/A | 5.4 MEDIUM |
| The Mmm Simple File List WordPress plugin through 2.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-49215 | 1 Usedesk | 1 Usedesk | 2023-11-30 | N/A | 6.1 MEDIUM |
| Usedesk before 1.7.57 allows filter reflected XSS. | |||||
| CVE-2023-49216 | 1 Usedesk | 1 Usedesk | 2023-11-30 | N/A | 5.4 MEDIUM |
| Usedesk before 1.7.57 allows profile stored XSS. | |||||
| CVE-2023-47773 | 1 Yasglobal | 1 Permalinks Customizer | 2023-11-30 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YAS Global Team Permalinks Customizer plugin <= 2.8.2 versions. | |||||
| CVE-2023-47786 | 1 Layerslider | 1 Layerslider | 2023-11-30 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LayerSlider plugin <= 7.7.9 versions. | |||||
| CVE-2023-4406 | 1 Kc Group E-commerce Software Project | 1 Kc Group E-commerce Software | 2023-11-29 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KC Group E-Commerce Software allows Reflected XSS.This issue affects E-Commerce Software: through 20231123. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-4594 | 2 Microsoft, Seattlelab | 2 Windows, Slmail | 2023-11-29 | N/A | 5.4 MEDIUM |
| Stored XSS vulnerability. This vulnerability could allow an attacker to store a malicious JavaScript payload via GET and POST methods on multiple parameters in the MailAdmin_dll.htm file. | |||||
| CVE-2023-41789 | 1 Artica | 1 Pandora Fms | 2023-11-29 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allows an attacker to perform cookie hijacking and log in as that user without the need for credentials. This issue affects Pandora FMS: from 700 through 773. | |||||
| CVE-2023-41791 | 1 Artica | 1 Pandora Fms | 2023-11-29 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed users with low privileges to introduce Javascript executables via a translation string that could affect the integrity of some configuration files. This issue affects Pandora FMS: from 700 through 773. | |||||
| CVE-2023-41810 | 1 Artica | 1 Pandora Fms | 2023-11-29 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in some Widgets' text box. This issue affects Pandora FMS: from 700 through 773. | |||||
| CVE-2023-41811 | 1 Artica | 1 Pandora Fms | 2023-11-29 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). This vulnerability allowed Javascript code to be executed in the news section of the web console. This issue affects Pandora FMS: from 700 through 773. | |||||
| CVE-2023-5715 | 1 Plerdy | 1 Heatmap | 2023-11-29 | N/A | 4.8 MEDIUM |
| The Website Optimization – Plerdy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tracking code settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2023-48124 | 1 Nayemhowlader | 1 Sup Online Shopping | 2023-11-29 | N/A | 5.4 MEDIUM |
| Cross Site Scripting in SUP Online Shopping v.1.0 allows a remote attacker to execute arbitrary code via the Name, Email and Address parameters in the Register New Account component. | |||||
| CVE-2023-5598 | 1 Dassault | 2 3dswymer 3dexperience 2022, 3dswymer 3dexperience 2023 | 2023-11-29 | N/A | 5.4 MEDIUM |
| Stored Cross-site Scripting (XSS) vulnerabilities affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2023x allow an attacker to execute arbitrary script code. | |||||
| CVE-2023-20265 | 1 Cisco | 8 Ip Dect 110, Ip Dect 110 Firmware, Ip Dect 210 and 5 more | 2023-11-29 | N/A | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of a small subset of Cisco IP Phones could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by persuading a user of an affected interface to view a page containing malicious HTML or script content. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid credentials to access the web-based management interface of the affected device. | |||||
| CVE-2023-20208 | 1 Cisco | 1 Identity Services Engine | 2023-11-29 | N/A | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the web-based management interface of an affected device. | |||||
| CVE-2023-47759 | 1 Premio | 1 Chaty | 2023-11-29 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premio Chaty plugin <= 3.1.2 versions. | |||||
| CVE-2023-30496 | 1 Mage-people | 1 Bus Ticket Booking With Seat Reservation | 2023-11-29 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MagePeople Team WpBusTicketly plugin <= 5.2.5 versions. | |||||
| CVE-2023-48705 | 1 Networktocode | 1 Nautobot | 2023-11-29 | N/A | 5.4 MEDIUM |
| Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot versions earlier than 1.6.6 or 2.0.5 are potentially affected by a cross-site scripting vulnerability. Due to incorrect usage of Django's `mark_safe()` API when rendering certain types of user-authored content; including custom links, job buttons, and computed fields; it is possible that users with permission to create or edit these types of content could craft a malicious payload (such as JavaScript code) that would be executed when rendering pages containing this content. The maintainers have fixed the incorrect uses of `mark_safe()` (generally by replacing them with appropriate use of `format_html()` instead) to prevent such malicious data from being executed. Users on Nautobot 1.6.x LTM should upgrade to v1.6.6 and users on Nautobot 2.0.x should upgrade to v2.0.5. Appropriate object permissions can and should be applied to restrict which users are permitted to create or edit the aforementioned types of user-authored content. Other than that, there is no direct workaround available. | |||||
| CVE-2023-5234 | 1 Peachpay | 1 Related Products For Woocommerce | 2023-11-29 | N/A | 5.4 MEDIUM |
| The Related Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'woo-related' shortcode in versions up to, and including, 3.3.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-47417 | 1 Paulrouget | 1 Dzslides | 2023-11-28 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in the component /shells/embedder.html of DZSlides after v2011.07.25 allows attackers to execute arbitrary code via a crafted payload. | |||||
| CVE-2023-46470 | 1 Spaceapplications | 1 Yacms | 2023-11-28 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Space Applications Services Yamcs v.5.8.6 allows a remote attacker to execute arbitrary code via crafted telecommand in the timeline view of the ArchiveBrowser. | |||||
| CVE-2023-46471 | 1 Spaceapplications | 1 Yacms | 2023-11-28 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Space Applications Services Yamcs v.5.8.6 allows a remote attacker to execute arbitrary code via the text variable scriptContainer of the ScriptViewer. | |||||