Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-33075 | 1 Phpgurukul | 1 Zoo Management System | 2023-11-14 | 3.5 LOW | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Add Classification function of Zoo Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via unspecified vectors. | |||||
| CVE-2022-31897 | 1 Phpgurukul | 1 Zoo Management System | 2023-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| SourceCodester Zoo Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via public_html/register_visitor?msg=. | |||||
| CVE-2022-29005 | 1 Phpgurukul | 1 Online Birth Certificate System | 2023-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in the component /obcs/user/profile.php of Online Birth Certificate System v1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the fname or lname parameters. | |||||
| CVE-2023-46483 | 1 Timeteccloud | 1 Auto Web-based Database Management System | 2023-11-14 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in timetec AWDMS v.2.0 allows an attacker to obtain sensitive information via a crafted payload to the remark parameter of the New Zone function. | |||||
| CVE-2023-5659 | 1 Tryinteract | 1 Interact\ | 2023-11-14 | N/A | 5.4 MEDIUM |
| The Interact: Embed A Quiz On Your Site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'interact-quiz' shortcode in all versions up to, and including, 3.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5660 | 1 Pressified | 1 Sendpress | 2023-11-14 | N/A | 5.4 MEDIUM |
| The SendPress Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.22.3.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5661 | 1 Web-settler | 1 Social Feed | 2023-11-14 | N/A | 5.4 MEDIUM |
| The Social Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialfeed' shortcode in all versions up to, and including, 1.5.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5703 | 1 Giftup | 1 Gift Up Gift Cards For Wordpress And Woocommerce | 2023-11-14 | N/A | 5.4 MEDIUM |
| The Gift Up Gift Cards for WordPress and WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'giftup' shortcode in all versions up to, and including, 2.20.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-46732 | 1 Xwiki | 1 Xwiki | 2023-11-14 | N/A | 6.1 MEDIUM |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to reflected cross-site scripting (RXSS) via the `rev` parameter that is used in the content of the content menu without escaping. If an attacker can convince a user to visit a link with a crafted parameter, this allows the attacker to execute arbitrary actions in the name of the user, including remote code (Groovy) execution in the case of a user with programming right, compromising the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.6 RC1, 15.5.1 and 14.10.14. The patch in commit `04e325d57` can be manually applied without upgrading (or restarting) the instance. Users are advised to upgrade or to manually apply the patch. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-48192 | 1 Softing | 1 Smartlink Sw-ht | 2023-11-14 | N/A | 6.1 MEDIUM |
| Cross-site Scripting vulnerability in Softing smartLink SW-HT before 1.30, which allows an attacker to execute a dynamic script (JavaScript, VBScript) in the context of the application. | |||||
| CVE-2020-2494 | 1 Qnap | 3 Music Station, Qts, Quts Hero | 2023-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| This cross-site scripting vulnerability in Music Station allows remote attackers to inject malicious code. QANP have already fixed this vulnerability in the following versions of Music Station. QuTS hero h4.5.1: Music Station 5.3.13 and later QTS 4.5.1: Music Station 5.3.12 and later QTS 4.4.3: Music Station 5.3.12 and later | |||||
| CVE-2021-44053 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2023-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running QTS, QuTS hero and QuTScloud. If exploited, this vulnerability allows remote attackers to inject malicious code. We have already fixed this vulnerability in the following versions of QTS, QuTS hero and QuTScloud: QTS 4.5.4.1991 build 20220329 and later QTS 5.0.0.1986 build 20220324 and later QuTS hero h5.0.0.1986 build 20220324 and later QuTS hero h4.5.4.1971 build 20220310 and later QuTScloud c5.0.1.1949 and later | |||||
| CVE-2020-2498 | 1 Qnap | 2 Qts, Quts Hero | 2023-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code in certificate configuration. QANP have already fixed these vulnerabilities in the following versions of QTS and QuTS hero. QuTS hero h4.5.1.1472 build 20201031 and later QTS 4.5.1.1456 build 20201015 and later QTS 4.4.3.1354 build 20200702 and later QTS 4.3.6.1333 build 20200608 and later QTS 4.3.4.1368 build 20200703 and later QTS 4.3.3.1315 build 20200611 and later QTS 4.2.6 build 20200611 and later | |||||
| CVE-2023-4842 | 1 Warfareplugins | 1 Social Warfare | 2023-11-14 | N/A | 5.4 MEDIUM |
| The Social Sharing Plugin - Social Warfare plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'social_warfare' shortcode in versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-4888 | 1 Illia | 1 Simple Like Page | 2023-11-14 | N/A | 5.4 MEDIUM |
| The Simple Like Page Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sfp-page-plugin' shortcode in versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5567 | 1 Spreendigital | 1 Qr Code Tag | 2023-11-14 | N/A | 5.4 MEDIUM |
| The QR Code Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'qrcodetag' shortcode in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5577 | 1 Bitly | 1 Wp-bitly | 2023-11-14 | N/A | 5.4 MEDIUM |
| The Bitly's plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpbitly' shortcode in all versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5771 | 1 Proofpoint | 1 Enterprise Protection | 2023-11-14 | N/A | 6.1 MEDIUM |
| Proofpoint Enterprise Protection contains a stored XSS vulnerability in the AdminUI. An unauthenticated attacker can send a specially crafted email with HTML in the subject which triggers XSS when viewing quarantined messages. This issue affects Proofpoint Enterprise Protection: from 8.20.0 before patch 4796, from 8.18.6 before patch 4795 and all other prior versions. | |||||
| CVE-2023-45556 | 1 Mybb | 1 Mybb | 2023-11-14 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component. | |||||
| CVE-2023-47260 | 1 Redmine | 1 Redmine | 2023-11-14 | N/A | 6.1 MEDIUM |
| Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails. | |||||
| CVE-2023-47259 | 1 Redmine | 1 Redmine | 2023-11-14 | N/A | 6.1 MEDIUM |
| Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile formatter. | |||||
| CVE-2023-47258 | 1 Redmine | 1 Redmine | 2023-11-14 | N/A | 6.1 MEDIUM |
| Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown formatter. | |||||
| CVE-2023-5507 | 1 Imagemapper Project | 1 Imagemapper | 2023-11-14 | N/A | 5.4 MEDIUM |
| The ImageMapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'imagemap' shortcode in versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5658 | 1 Chandnipatel | 1 Wp Mapit | 2023-11-14 | N/A | 5.4 MEDIUM |
| The WP MapIt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_mapit' shortcode in all versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-5743 | 1 Gravitydesign | 1 Telephone Number Linker | 2023-11-14 | N/A | 5.4 MEDIUM |
| The Telephone Number Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'telnumlink' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2022-1094 | 1 Anmari | 1 Amr Users | 2023-11-14 | 3.5 LOW | 4.8 MEDIUM |
| The amr users WordPress plugin before 4.59.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2023-5950 | 1 Rapid7 | 1 Velociraptor | 2023-11-14 | N/A | 6.1 MEDIUM |
| Rapid7 Velociraptor versions prior to 0.7.0-4 suffer from a reflected cross site scripting vulnerability. This vulnerability allows attackers to inject JS into the error path, potentially leading to unauthorized execution of scripts within a user's web browser. This vulnerability is fixed in version 0.7.0-04 and a patch is available to download. Patches are also available for version 0.6.9 (0.6.9-1). | |||||
| CVE-2023-45869 | 1 Ilias | 1 Ilias | 2023-11-14 | N/A | 9.0 CRITICAL |
| ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class (/Services/Utilities/classes/class.ilUtil.php) This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system. | |||||
| CVE-2021-33469 | 1 Phpgurukul | 1 Covid19 Testing Management System | 2023-11-14 | 3.5 LOW | 4.8 MEDIUM |
| COVID19 Testing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the "Admin name" parameter. | |||||
| CVE-2023-46251 | 1 Mybb | 1 Mybb | 2023-11-14 | N/A | 6.1 MEDIUM |
| MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP ? Configuration ? Settings ? Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP ? Your Profile ? Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit `6dcaf0b4d`. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (_Admin CP ? Configuration ? Settings_): - _Clickable Smilies and BB Code ? [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (_User CP ? Your Profile ? Edit Options_) _Show the MyCode formatting options on the posting pages_. | |||||
| CVE-2021-37805 | 1 Phpgurukul | 1 Vehicle Parking Management System | 2023-11-14 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross Site Scripting (XSS) vunerability exists in Sourcecodeste Vehicle Parking Management System affected version 1.0 is via the add-vehicle.php endpoint. | |||||
| CVE-2021-27822 | 1 Phpgurukul | 1 Vehicle Parking Management System | 2023-11-14 | 3.5 LOW | 4.8 MEDIUM |
| A persistent cross site scripting (XSS) vulnerability in the Add Categories module of Vehicle Parking Management System 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Category field. | |||||
| CVE-2023-46824 | 1 Omaksolutions | 1 Slick Popup | 2023-11-14 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Om Ak Solutions Slick Popup: Contact Form 7 Popup Plugin plugin <= 1.7.14 versions. | |||||
| CVE-2023-47177 | 1 Pojo | 1 Linker | 2023-11-14 | N/A | 5.4 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Yakir Sitbon, Ariel Klikstein Linker plugin <= 1.2.1 versions. | |||||
| CVE-2023-46822 | 1 Visser | 1 Store Exporter For Woocommerce | 2023-11-14 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting') vulnerability in Visser Labs Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More plugin <= 2.7.2 versions. | |||||
| CVE-2023-47185 | 1 Gvectors | 1 Wpdiscuz | 2023-11-14 | N/A | 6.1 MEDIUM |
| Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11 versions. | |||||
| CVE-2023-47184 | 1 Properfraction | 1 Admin Bar \& Dashboard Access Control | 2023-11-14 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Proper Fraction LLC. Admin Bar & Dashboard Access Control plugin <= 1.2.8 versions. | |||||
| CVE-2023-41575 | 1 Phpgurukul | 1 Blood Bank \& Donor Management System | 2023-11-14 | N/A | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in /bbdms/sign-up.php of Blood Bank & Donor Management v2.2 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Full Name, Message, or Address parameters. | |||||
| CVE-2020-25270 | 1 Phpgurukul | 1 Hostel Management System | 2023-11-14 | 3.5 LOW | 5.4 MEDIUM |
| PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, Guardian Relation, Guardian Contact no, Address, or City. | |||||
| CVE-2021-43137 | 1 Phpgurukul | 1 Hostel Management System | 2023-11-14 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability exits in hostel management system 2.1 via the name field in my-profile.php. Chaining to this both vulnerabilities leads to account takeover. | |||||
| CVE-2023-34652 | 1 Phpgurukul | 1 Hostel Management System | 2023-11-14 | N/A | 6.1 MEDIUM |
| PHPgurukl Hostel Management System v.1.0 is vulnerable to Cross Site Scripting (XSS) via Add New Course. | |||||
| CVE-2023-34647 | 1 Phpgurukul | 1 Hostel Management System | 2023-11-14 | N/A | 6.1 MEDIUM |
| PHPgurukl Hostel Management System v.1.0 is vulnerable to Cross Site Scripting (XSS). | |||||
| CVE-2022-42205 | 1 Phpgurukul | 1 Hospital Management System | 2023-11-14 | N/A | 5.4 MEDIUM |
| PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via add-patient.php. | |||||
| CVE-2021-39411 | 1 Phpgurukul | 1 Hospital Management System | 2023-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities exist in PHPGurukul Hospital Management System 4.0 via the (1) searchdata parameter in (a) doctor/search.php and (b) admin/patient-search.php, and the (2) fromdate and (3) todate parameters in admin/betweendates-detailsreports.php. | |||||
| CVE-2022-42206 | 1 Phpgurukul | 1 Hospital Management System | 2023-11-14 | N/A | 5.4 MEDIUM |
| PHPGurukul Hospital Management System In PHP V 4.0 is vulnerable to Cross Site Scripting (XSS) via doctor/view-patient.php, admin/view-patient.php, and view-medhistory.php. | |||||
| CVE-2021-35388 | 1 Phpgurukul | 1 Hospital Management System | 2023-11-14 | N/A | 5.4 MEDIUM |
| Hospital Management System v 4.0 is vulnerable to Cross Site Scripting (XSS) via /hospital/hms/admin/patient-search.php. | |||||
| CVE-2020-5193 | 1 Phpgurukul | 1 Hospital Management System | 2023-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple reflected XSS vulnerabilities via the searchdata or Doctorspecialization parameter. | |||||
| CVE-2020-22167 | 1 Phpgurukul | 1 Hospital Management System | 2023-11-14 | 3.5 LOW | 5.4 MEDIUM |
| PHPGurukul Hospital Management System in PHP v4.0 has a Persistent Cross-Site Scripting vulnerability in \hms\admin\appointment-history.php. Remote registered users can exploit the vulnerability to obtain user cookie data. | |||||
| CVE-2020-5191 | 1 Phpgurukul | 1 Hospital Management System | 2023-11-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| PHPGurukul Hospital Management System in PHP v4.0 suffers from multiple Persistent XSS vulnerabilities. | |||||
| CVE-2020-25271 | 1 Phpgurukul | 1 Hospital Management System | 2023-11-14 | 3.5 LOW | 5.4 MEDIUM |
| PHPGurukul hospital-management-system-in-php 4.0 allows XSS via admin/patient-search.php, doctor/search.php, book-appointment.php, doctor/appointment-history.php, or admin/appointment-history.php. | |||||