Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-48198 | 1 Grocy Project | 1 Grocy | 2023-11-28 | N/A | 5.4 MEDIUM |
| A Cross-Site Scripting (XSS) vulnerability in the 'product description' component within '/api/stock/products' of Grocy version <= 4.0.3 allows attackers to obtain a victim's cookies. | |||||
| CVE-2023-47839 | 1 Implecode | 1 Ecommerce Product Catalog | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in impleCode eCommerce Product Catalog Plugin for WordPress plugin <= 3.3.26 versions. | |||||
| CVE-2023-47790 | 1 Popozure | 1 Pz-linkcard | 2023-11-28 | N/A | 6.1 MEDIUM |
| Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in Poporon Pz-LinkCard plugin <= 2.4.8 versions. | |||||
| CVE-2023-47833 | 1 Slimndap | 1 Theater For Wordpress | 2023-11-28 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress plugin <= 0.18.3 versions. | |||||
| CVE-2023-47834 | 1 Quizandsurveymaster | 1 Quiz And Survey Master | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ExpressTech Quiz And Survey Master plugin <= 8.1.13 versions. | |||||
| CVE-2023-47821 | 1 Jannisthuemmig | 1 Email Encoder | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jannis Thuemmig Email Encoder plugin <= 2.1.8 versions. | |||||
| CVE-2023-47817 | 1 Mmrs151 | 1 Daily Prayer Time | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mmrs151 Daily Prayer Time plugin <= 2023.10.13 versions. | |||||
| CVE-2023-47829 | 1 Codez | 1 Quick Call Button | 2023-11-28 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codez Quick Call Button plugin <= 1.2.9 versions. | |||||
| CVE-2023-47835 | 1 Ari-soft | 1 Ari Stream Quiz | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ARI Soft ARI Stream Quiz – WordPress Quizzes Builder plugin <= 1.2.32 versions. | |||||
| CVE-2023-47816 | 1 Wpcharitable | 1 Charitable | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin <= 1.7.0.13 versions. | |||||
| CVE-2023-47815 | 1 Venutius | 1 Bp Profile Shortcodes Extra | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Venutius BP Profile Shortcodes Extra plugin <= 2.5.2 versions. | |||||
| CVE-2023-47814 | 1 Bmicalculator | 1 Bmi Calculator | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Waterloo Plugins BMI Calculator Plugin plugin <= 1.0.3 versions. | |||||
| CVE-2023-47812 | 1 Bamboo Mcr | 1 Bamboo Columns | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bamboo Mcr Bamboo Columns plugin <= 1.6.1 versions. | |||||
| CVE-2023-47813 | 1 Grandslambert | 1 Better Rss Widget | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in grandslambert Better RSS Widget plugin <= 2.8.1 versions. | |||||
| CVE-2023-47811 | 1 Sureshkumarmukhiya | 1 Anywhere Flash Embed | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Suresh KUMAR Mukhiya Anywhere Flash Embed plugin <= 1.0.5 versions. | |||||
| CVE-2023-47810 | 1 Asdqwedev | 1 Ajax Domain Checker | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asdqwe Dev Ajax Domain Checker plugin <= 1.3.0 versions. | |||||
| CVE-2023-47809 | 1 Themepoints | 1 Accordion | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Accordion plugin <= 2.6 versions. | |||||
| CVE-2023-5469 | 1 Stevenhenty | 1 Drop Shadow Boxes | 2023-11-28 | N/A | 5.4 MEDIUM |
| The Drop Shadow Boxes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dropshadowbox' shortcode in versions up to, and including, 1.7.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-47808 | 1 Christinauechi | 1 Add Widgets To Page | 2023-11-28 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Christina Uechi Add Widgets to Page plugin <= 1.3.2 versions. | |||||
| CVE-2023-5662 | 1 Wpsimplesponsorships | 1 Sponsors | 2023-11-28 | N/A | 5.4 MEDIUM |
| The Sponsors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sponsors' shortcode in all versions up to, and including, 3.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-49146 | 1 Getgrav | 1 Dom-sanitizer | 2023-11-28 | N/A | 6.1 MEDIUM |
| DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG document because of mishandling of comments and greedy regular expressions. | |||||
| CVE-2023-5664 | 1 Ggnome | 1 Garden Gnome Package | 2023-11-28 | N/A | 5.4 MEDIUM |
| The Garden Gnome Package plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ggpkg' shortcode in all versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 2.2.7 and fully patched in version 2.2.9. | |||||
| CVE-2023-5704 | 1 Wpchill | 1 Cpo Shortcodes | 2023-11-28 | N/A | 5.4 MEDIUM |
| The CPO Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-47768 | 1 Diywebmastery | 1 Footer Putter | 2023-11-28 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Russell Jamieson Footer Putter plugin <= 1.17 versions. | |||||
| CVE-2023-5667 | 1 Themepoints | 1 Tab Ultimate | 2023-11-28 | N/A | 5.4 MEDIUM |
| The Tab Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-47767 | 1 Fla-shop | 1 Interactive World Map | 2023-11-28 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fla-shop.Com Interactive World Map plugin <= 3.2.0 versions. | |||||
| CVE-2023-47766 | 1 Ifeelweb | 1 Post Status Notifier Lite | 2023-11-28 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timo Reith Post Status Notifier Lite plugin <= 1.11.0 versions. | |||||
| CVE-2023-3550 | 1 Mediawiki | 1 Mediawiki | 2023-11-28 | N/A | 7.3 HIGH |
| Mediawiki v1.40.0 does not validate namespaces used in XML files. Therefore, if the instance administrator allows XML file uploads, a remote attacker with a low-privileged user account can use this exploit to become an administrator by sending a malicious link to the instance administrator. | |||||
| CVE-2023-46595 | 1 Algosec | 1 Fireflow | 2023-11-28 | N/A | 6.1 MEDIUM |
| Net-NTLM leak via stored HTML injection in FireFlow's VisualFlow workflow editor using Name and Description field. It also impacts FireFlow's VisualFlow workflow editor outbound actions using Name and Category parameter. Fixed in version A32.20 (b570 and above), A32.50 (b400 and above), A32.60 (b220 and above) | |||||
| CVE-2023-5338 | 1 Themeblvd | 1 Theme Blvd Shortcodes | 2023-11-27 | N/A | 5.4 MEDIUM |
| The Theme Blvd Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5128 | 1 Tcd-theme | 1 Tcd Google Maps | 2023-11-27 | N/A | 5.4 MEDIUM |
| The TCD Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'map' shortcode in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5163 | 1 Weather-atlas | 1 Weather Atlas | 2023-11-27 | N/A | 5.4 MEDIUM |
| The Weather Atlas Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shortcode-weather-atlas' shortcode in versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5096 | 1 Jonashjalmarsson | 1 Html Filter And Csv-file Search | 2023-11-27 | N/A | 5.4 MEDIUM |
| The HTML filter and csv-file search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'csvsearch' shortcode in versions up to, and including, 2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5048 | 1 Web-dorado | 1 Contact Form Builder | 2023-11-27 | N/A | 5.4 MEDIUM |
| The WDContactFormBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Contact_Form_Builder' shortcode in versions up to, and including, 1.0.72 due to insufficient input sanitization and output escaping on 'id' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-4726 | 1 Davidvongries | 1 Ultimate Dashboard | 2023-11-27 | N/A | 4.8 MEDIUM |
| The Ultimate Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.7.7. due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2023-5742 | 1 Dwuser | 1 Easyrotator For Wordpress | 2023-11-27 | N/A | 5.4 MEDIUM |
| The EasyRotator for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'easyrotator' shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5119 | 1 Incsub | 1 Forminator | 2023-11-27 | N/A | 4.8 MEDIUM |
| The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup). | |||||
| CVE-2023-4808 | 1 Allurewebsolutions | 1 Wp Post Popup | 2023-11-27 | N/A | 4.8 MEDIUM |
| The WP Post Popup WordPress plugin through 3.7.3 does not sanitise and escape some of its inputs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-5343 | 1 Ays-pro | 1 Popup Box | 2023-11-27 | N/A | 4.8 MEDIUM |
| The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | |||||
| CVE-2023-5609 | 1 S-sols | 1 Seraphinite Accelerator | 2023-11-27 | N/A | 6.1 MEDIUM |
| The Seraphinite Accelerator WordPress plugin before 2.2.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2022-23808 | 1 Phpmyadmin | 1 Phpmyadmin | 2023-11-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker can inject malicious code into aspects of the setup script, which can allow XSS or HTML injection. | |||||
| CVE-2023-39318 | 1 Golang | 1 Go | 2023-11-25 | N/A | 6.1 MEDIUM |
| The html/template package does not properly handle HTML-like "" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This may be leveraged to perform an XSS attack. | |||||
| CVE-2023-39319 | 1 Golang | 1 Go | 2023-11-25 | N/A | 6.1 MEDIUM |
| The html/template package does not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. | |||||
| CVE-2020-11448 | 1 Bell | 2 Home Hub 3000, Home Hub 3000 Firmware | 2023-11-25 | N/A | 6.1 MEDIUM |
| An issue was discovered on Bell HomeHub 3000 SG48222070 devices. There is XSS related to the email field and the login page. | |||||
| CVE-2023-47175 | 1 Luxsoft | 1 Luxcal Web Calendar | 2023-11-25 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability in LuxCal Web Calendar prior to 5.2.4M (MySQL version) and LuxCal Web Calendar prior to 5.2.4L (SQLite version) allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the product. | |||||
| CVE-2023-48300 | 1 Epiph | 1 Embed Privacy | 2023-11-25 | N/A | 5.4 MEDIUM |
| The `Embed Privacy` plugin for WordPress that prevents the loading of embedded external content is vulnerable to Stored Cross-Site Scripting via `embed_privacy_opt_out` shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Version 1.8.1 contains a patch for this issue. | |||||
| CVE-2023-40314 | 1 Opennms | 2 Horizon, Meridian | 2023-11-25 | N/A | 6.1 MEDIUM |
| Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Moshe Apelbaum for reporting this issue. | |||||
| CVE-2023-5599 | 1 Dassault | 2 3dswymer 3dexperience 2022, 3dswymer 3dexperience 2023 | 2023-11-25 | N/A | 5.4 MEDIUM |
| A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2023x allows an attacker to execute arbitrary script code. | |||||
| CVE-2023-46935 | 1 Eyoucms | 1 Eyoucms | 2023-11-25 | N/A | 5.4 MEDIUM |
| eyoucms v1.6.4 is vulnerable Cross Site Scripting (XSS), which can lead to stealing sensitive information of logged-in users. | |||||
| CVE-2023-46213 | 1 Splunk | 2 Cloud, Splunk | 2023-11-24 | N/A | 4.8 MEDIUM |
| In Splunk Enterprise versions below 9.0.7 and 9.1.2, ineffective escaping in the “Show syntax Highlighted” feature can result in the execution of unauthorized code in a user’s web browser. | |||||