Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-46734 | 1 Sensiolabs | 2 Symfony, Twig | 2023-11-24 | N/A | 6.1 MEDIUM |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters. | |||||
| CVE-2023-4799 | 1 Wpembedfb | 1 Magic Embeds | 2023-11-24 | N/A | 5.4 MEDIUM |
| The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-4970 | 1 Pubydoc | 1 Pubydoc | 2023-11-24 | N/A | 4.8 MEDIUM |
| The PubyDoc WordPress plugin through 2.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2023-5140 | 1 Computy | 1 Bonus For Woo | 2023-11-24 | N/A | 6.1 MEDIUM |
| The Bonus for Woo WordPress plugin before 5.8.3 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2021-27578 | 1 Apache | 1 Zeppelin | 2023-11-24 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0. | |||||
| CVE-2023-47797 | 1 Liferay | 1 Liferay Portal | 2023-11-23 | N/A | 6.1 MEDIUM |
| Reflected cross-site scripting (XSS) vulnerability on a content page’s edit page in Liferay Portal 7.4.3.94 through 7.4.3.95 allows remote attackers to inject arbitrary web script or HTML via the `p_l_back_url_title` parameter. | |||||
| CVE-2023-40813 | 1 Opencrx | 1 Opencrx | 2023-11-22 | N/A | 6.1 MEDIUM |
| OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation. | |||||
| CVE-2023-40814 | 1 Opencrx | 1 Opencrx | 2023-11-22 | N/A | 6.1 MEDIUM |
| OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field. | |||||
| CVE-2023-40815 | 1 Opencrx | 1 Opencrx | 2023-11-22 | N/A | 6.1 MEDIUM |
| OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field. | |||||
| CVE-2023-40812 | 1 Opencrx | 1 Opencrx | 2023-11-22 | N/A | 6.1 MEDIUM |
| OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field. | |||||
| CVE-2023-40816 | 1 Opencrx | 1 Opencrx | 2023-11-22 | N/A | 6.1 MEDIUM |
| OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field. | |||||
| CVE-2023-40817 | 1 Opencrx | 1 Opencrx | 2023-11-22 | N/A | 6.1 MEDIUM |
| OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field. | |||||
| CVE-2023-40810 | 1 Opencrx | 1 Opencrx | 2023-11-22 | N/A | 6.1 MEDIUM |
| OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field. | |||||
| CVE-2023-40809 | 1 Opencrx | 1 Opencrx | 2023-11-22 | N/A | 6.1 MEDIUM |
| OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number. | |||||
| CVE-2022-27200 | 1 Jenkins | 1 Folder-based Authorization Strategy | 2023-11-22 | 3.5 LOW | 4.8 MEDIUM |
| Jenkins Folder-based Authorization Strategy Plugin 1.3 and earlier does not escape the names of roles shown on the configuration form, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Overall/Administer permission. | |||||
| CVE-2022-20615 | 2 Jenkins, Oracle | 2 Matrix Project, Communications Cloud Native Core Automated Test Suite | 2023-11-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Matrix Project Plugin 1.19 and earlier does not escape HTML metacharacters in node and label names, and label descriptions, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission. | |||||
| CVE-2022-27202 | 1 Jenkins | 1 Extended Choice Parameter | 2023-11-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier does not escape the value and description of extended choice parameters of radio buttons or check boxes type, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2021-21700 | 1 Jenkins | 1 Scriptler | 2023-11-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Scriptler Plugin 3.3 and earlier does not escape the name of scripts on the UI when asking to confirm their deletion, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by exploitable by attackers able to create Scriptler scripts. | |||||
| CVE-2021-21699 | 1 Jenkins | 1 Active Choices | 2023-11-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Active Choices Plugin 2.5.6 and earlier does not escape the parameter name of reactive parameters and dynamic reference parameters, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission. | |||||
| CVE-2022-27197 | 1 Jenkins | 1 Dashboard View | 2023-11-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Dashboard View Plugin 2.18 and earlier does not perform URL validation for the Iframe Portlet's Iframe source URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure views. | |||||
| CVE-2022-27196 | 1 Jenkins | 1 Favorite | 2023-11-22 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Favorite Plugin 2.4.0 and earlier does not escape the names of jobs in the favorite column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure or Item/Create permissions. | |||||
| CVE-2023-47514 | 1 Star-emea | 1 Star Cloudprnt For Woocommerce | 2023-11-22 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in lawrenceowen, gcubero, acunnningham, fmahmood Star CloudPRNT for WooCommerce plugin <= 2.0.3 versions. | |||||
| CVE-2023-46964 | 1 Hillstonenet | 2 Sc-6000-e3960, Sc-6000-e3960 Firmware | 2023-11-22 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Hillstone Next Generation FireWall SG-6000-e3960 v.5.5 allows a remote attacker to execute arbitrary code via the use front-end filtering instead of back-end filtering. | |||||
| CVE-2023-4602 | 1 Kibokolabs | 1 Namaste\! Lms | 2023-11-22 | N/A | 6.1 MEDIUM |
| The Namaste! LMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'course_id' parameter in versions up to, and including, 2.6.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2021-4046 | 1 Tcman | 1 Gim | 2023-11-22 | 3.5 LOW | 5.4 MEDIUM |
| The m_txtNom y m_txtCognoms parameters in TCMAN GIM v8.01 allow an attacker to perform persistent XSS attacks. This vulnerability could be used to carry out a number of browser-based attacks including browser hijacking or theft of sensitive data. | |||||
| CVE-2021-4035 | 1 Wocu-monitoring | 1 Wocu Monitoring | 2023-11-22 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross site scripting have been identified at the comments in the report creation due to an obsolote version of tinymce editor. In order to exploit this vulnerability, the attackers needs an account with enough privileges to view and edit reports. | |||||
| CVE-2022-45380 | 1 Jenkins | 1 Junit | 2023-11-22 | N/A | 5.4 MEDIUM |
| Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) URLs in test report output to clickable links in an unsafe manner, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | |||||
| CVE-2022-45382 | 1 Jenkins | 1 Naginator | 2023-11-22 | N/A | 5.4 MEDIUM |
| Jenkins Naginator Plugin 1.18.1 and earlier does not escape display names of source builds in builds that were triggered via Retry action, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to edit build display names. | |||||
| CVE-2023-48649 | 1 Concretecms | 1 Concrete Cms | 2023-11-22 | N/A | 5.4 MEDIUM |
| Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name. | |||||
| CVE-2021-31852 | 1 Mcafee | 1 Policy Auditor | 2023-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Reflected Cross-Site Scripting vulnerability in McAfee Policy Auditor prior to 6.5.2 allows a remote unauthenticated attacker to inject arbitrary web script or HTML via the UID request parameter. The malicious script is reflected unmodified into the Policy Auditor web-based interface which could lead to the extract of end user session token or login credentials. These may be used to access additional security-critical applications or conduct arbitrary cross-domain requests. | |||||
| CVE-2023-4889 | 1 Shareaholic | 1 Shareaholic | 2023-11-21 | N/A | 5.4 MEDIUM |
| The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shareaholic' shortcode in versions up to, and including, 9.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-26222 | 1 Tibco | 1 Ebx | 2023-11-21 | N/A | 5.4 MEDIUM |
| The Web Application component of TIBCO Software Inc.'s TIBCO EBX and TIBCO Product and Service Catalog powered by TIBCO EBX contains an easily exploitable vulnerability that allows a low privileged attacker with network access to execute a stored XSS on the affected system. Affected releases are TIBCO Software Inc.'s TIBCO EBX: versions 5.9.22 and below, versions 6.0.13 and below and TIBCO Product and Service Catalog powered by TIBCO EBX: versions 5.0.0 and below. | |||||
| CVE-2023-47309 | 1 Nukium | 1 Gls | 2023-11-21 | N/A | 5.4 MEDIUM |
| Nukium nkmgls before version 3.0.2 is vulnerable to Cross Site Scripting (XSS) via NkmGlsCheckoutModuleFrontController::displayAjaxSavePhoneMobile. | |||||
| CVE-2023-5381 | 1 Webtechstreet | 1 Elementor Addon Elements | 2023-11-21 | N/A | 4.8 MEDIUM |
| The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.12.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2023-48088 | 1 Xuxueli | 1 Xxl-job | 2023-11-21 | N/A | 5.4 MEDIUM |
| xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /xxl-job-admin/joblog/logDetailPage. | |||||
| CVE-2023-48200 | 1 Grocy Project | 1 Grocy | 2023-11-21 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the equipment description component within /equipment/ component. | |||||
| CVE-2023-48197 | 1 Grocy Project | 1 Grocy | 2023-11-21 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Grocy v.4.0.3 allows a local attacker to execute arbitrary code and obtain sensitive information via the QR code function in the manageapikeys component. | |||||
| CVE-2023-47517 | 1 Pressified | 1 Sendpress | 2023-11-21 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in SendPress Newsletters plugin <= 1.23.11.6 versions. | |||||
| CVE-2023-47532 | 1 Themeum | 1 Wp Crowdfunding | 2023-11-20 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Themeum WP Crowdfunding plugin <= 2.1.6 versions. | |||||
| CVE-2023-36410 | 1 Microsoft | 1 Dynamics 365 | 2023-11-20 | N/A | 5.4 MEDIUM |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||
| CVE-2023-36016 | 1 Microsoft | 1 Dynamics 365 | 2023-11-20 | N/A | 3.4 LOW |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||
| CVE-2023-36031 | 1 Microsoft | 1 Dynamics 365 | 2023-11-20 | N/A | 5.4 MEDIUM |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||
| CVE-2023-47446 | 1 Phpgurukul | 1 Pre-school Enrollment System | 2023-11-20 | N/A | 5.4 MEDIUM |
| Pre-School Enrollment version 1.0 is vulnerable to Cross Site Scripting (XSS) on the profile.php page via fullname parameter. | |||||
| CVE-2023-41597 | 1 Eyoucms | 1 Eyoucms | 2023-11-20 | N/A | 6.1 MEDIUM |
| EyouCms v1.6.2 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /admin/twitter.php?active_t. | |||||
| CVE-2023-46099 | 1 Siemens | 1 Simatic Pcs Neo | 2023-11-20 | N/A | 4.8 MEDIUM |
| A vulnerability has been identified in SIMATIC PCS neo (All versions < V4.1). There is a stored cross-site scripting vulnerability in the Administration Console of the affected product, that could allow an attacker with high privileges to inject Javascript code into the application that is later executed by another legitimate user. | |||||
| CVE-2021-3834 | 1 Artica | 1 Integria Ims | 2023-11-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Integria IMS in its 5.0.92 version does not filter correctly some fields related to the login.php file. An attacker could exploit this vulnerability in order to perform a cross-site scripting attack (XSS). | |||||
| CVE-2023-47659 | 1 Lava-code | 1 Lava Directory Manager | 2023-11-20 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Lavacode Lava Directory Manager plugin <= 1.1.34 versions. | |||||
| CVE-2023-5669 | 1 Christiaanconover | 1 Featured Image Caption | 2023-11-20 | N/A | 5.4 MEDIUM |
| The Featured Image Caption plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and post meta in all versions up to, and including, 0.8.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2015-10095 | 1 Woo-popup Project | 1 Woo-popup | 2023-11-18 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in woo-popup Plugin up to 1.2.2 on WordPress. This affects an unknown part of the file admin/class-woo-popup-admin.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.3.0 is able to address this issue. The patch is named 7c76ac78f3e16015991b612ff4fa616af4ce9292. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222327. | |||||
| CVE-2014-125089 | 1 Cention-chatserver Project | 1 Cention-chatserver | 2023-11-18 | N/A | 6.1 MEDIUM |
| A vulnerability was found in cention-chatserver 3.8.0-rc1. It has been declared as problematic. Affected by this vulnerability is the function _formatBody of the file lib/InternalChatProtocol.fe. The manipulation of the argument body leads to cross site scripting. The attack can be launched remotely. Upgrading to version 3.9 is able to address this issue. The identifier of the patch is c4c0258bbd18f6915f97f91d5fee625384096a26. It is recommended to upgrade the affected component. The identifier VDB-221497 was assigned to this vulnerability. | |||||