Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-37307 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-01-09 | N/A | 5.4 MEDIUM |
| In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts. | |||||
| CVE-2022-34795 | 1 Jenkins | 1 Deployment Dashboard | 2024-01-09 | 3.5 LOW | 5.4 MEDIUM |
| Jenkins Deployment Dashboard Plugin 1.0.10 and earlier does not escape environment names on its Deployment Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission. | |||||
| CVE-2023-24070 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-01-09 | N/A | 6.1 MEDIUM |
| app/View/AuthKeys/authkey_display.ctp in MISP through 2.4.167 has an XSS in authkey add via a Referer field. | |||||
| CVE-2023-22932 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-01-09 | N/A | 6.1 MEDIUM |
| In Splunk Enterprise 9.0 versions before 9.0.4, a View allows for Cross-Site Scripting (XSS) through the error message in a Base64-encoded image. The vulnerability affects instances with Splunk Web enabled. It does not affect Splunk Enterprise versions below 9.0. | |||||
| CVE-2023-28471 | 1 Concretecms | 1 Concrete Cms | 2024-01-09 | N/A | 5.4 MEDIUM |
| Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name. | |||||
| CVE-2023-28476 | 1 Concretecms | 1 Concrete Cms | 2024-01-09 | N/A | 5.4 MEDIUM |
| Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files. | |||||
| CVE-2023-28474 | 1 Concretecms | 1 Concrete Cms | 2024-01-09 | N/A | 5.4 MEDIUM |
| Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search. | |||||
| CVE-2022-29923 | 1 Thingsforrestaurants | 1 Quick Restaurant Reservations | 2024-01-08 | N/A | 4.8 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in ThingsForRestaurants Quick Restaurant Reservations (WordPress plugin) allows Reflected XSS.This issue affects Quick Restaurant Reservations (WordPress plugin): from n/a through 1.4.1. | |||||
| CVE-2023-47488 | 1 Combodo | 1 Itop | 2024-01-08 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Combodo iTop v.3.1.0-2-11973 allows a local attacker to obtain sensitive information via a crafted script to the attrib_manager_id parameter in the General Information page and the id parameter in the contact page. | |||||
| CVE-2024-21908 | 1 Tiny | 1 Tinymce | 2024-01-08 | N/A | 6.1 MEDIUM |
| TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. | |||||
| CVE-2024-21911 | 1 Tiny | 1 Tinymce | 2024-01-08 | N/A | 6.1 MEDIUM |
| TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser. | |||||
| CVE-2024-21910 | 1 Tiny | 1 Tinymce | 2024-01-08 | N/A | 6.1 MEDIUM |
| TinyMCE versions before 5.10.0 are affected by a cross-site scripting vulnerability. A remote and unauthenticated attacker could introduce crafted image or link URLs that would result in the execution of arbitrary JavaScript in an editing user's browser. | |||||
| CVE-2023-51652 | 1 Spassarop | 1 Owasp Antisamy .net | 2024-01-08 | N/A | 6.1 MEDIUM |
| OWASP AntiSamy .NET is a library for performing cleansing of HTML coming from untrusted sources. Prior to version 1.2.0, there is a potential for a mutation cross-site scripting (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This is patched in OWASP AntiSamy .NET 1.2.0 and later. See important remediation details in the reference given below. As a workaround, manually edit the AntiSamy policy file (e.g., antisamy.xml) by deleting the `preserveComments` directive or setting its value to `false`, if present. Also it would be useful to make AntiSamy remove the `noscript` tag by adding a line described in the GitHub Security Advisory to the tag definitions under the `<tagrules>` node, or deleting it entirely if present. As the previously mentioned policy settings are preconditions for the mXSS attack to work, changing them as recommended should be sufficient to protect you against this vulnerability when using a vulnerable version of this library. However, the existing bug would still be present in AntiSamy or its parser dependency (HtmlAgilityPack). The safety of this workaround relies on configurations that may change in the future and don't address the root cause of the vulnerability. As such, it is strongly recommended to upgrade to a fixed version of AntiSamy. | |||||
| CVE-2023-6485 | 1 Bplugins | 1 Html5 Video Player | 2024-01-08 | N/A | 5.4 MEDIUM |
| The Html5 Video Player WordPress plugin before 2.5.19 does not sanitise and escape some of its player settings, which combined with missing capability checks around the plugin could allow any authenticated users, such as low as subscribers to perform Stored Cross-Site Scripting attacks against high privilege users like admins | |||||
| CVE-2024-21627 | 1 Prestashop | 1 Prestashop | 2024-01-08 | N/A | 6.1 MEDIUM |
| PrestaShop is an open-source e-commerce platform. Prior to versions 8.1.3 and 1.7.8.11, some event attributes are not detected by the `isCleanHTML` method. Some modules using the `isCleanHTML` method could be vulnerable to cross-site scripting. Versions 8.1.3 and 1.7.8.11 contain a patch for this issue. The best workaround is to use the `HTMLPurifier` library to sanitize html input coming from users. The library is already available as a dependency in the PrestaShop project. Beware though that in legacy object models, fields of `HTML` type will call `isCleanHTML`. | |||||
| CVE-2024-21628 | 1 Prestashop | 1 Prestashop | 2024-01-08 | N/A | 6.1 MEDIUM |
| PrestaShop is an open-source e-commerce platform. Prior to version 8.1.3, the isCleanHtml method is not used on this this form, which makes it possible to store a cross-site scripting payload in the database. The impact is low because the HTML is not interpreted in BO, thanks to twig's escape mechanism. In FO, the cross-site scripting attack is effective, but only impacts the customer sending it, or the customer session from which it was sent. This issue affects those who have a module fetching these messages from the DB and displaying it without escaping HTML. Version 8.1.3 contains a patch for this issue. | |||||
| CVE-2024-21732 | 1 Flycms Project | 1 Flycms | 2024-01-08 | N/A | 6.1 MEDIUM |
| FlyCms through abbaa5a allows XSS via the permission management feature. | |||||
| CVE-2024-0181 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-01-08 | N/A | 4.8 MEDIUM |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/admin_user.php of the component Admin Panel. The manipulation of the argument Firstname/Lastname/Username leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249433 was assigned to this vulnerability. | |||||
| CVE-2024-0184 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-01-08 | N/A | 4.8 MEDIUM |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/edit_teacher.php of the component Add Enginer. The manipulation of the argument Firstname/Lastname leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249442 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0283 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Kashipara Food Management System up to 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file party_details.php. The manipulation of the argument party_name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249838 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0282 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Kashipara Food Management System up to 1.0. It has been classified as problematic. This affects an unknown part of the file addmaterialsubmit.php. The manipulation of the argument tin leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249837 was assigned to this vulnerability. | |||||
| CVE-2024-0284 | 1 Kashipara | 1 Food Management System | 2024-01-08 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Kashipara Food Management System up to 1.0. It has been rated as problematic. This issue affects some unknown processing of the file party_submit.php. The manipulation of the argument party_address leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249839. | |||||
| CVE-2023-6000 | 1 Sygnoos | 1 Popup Builder | 2024-01-08 | N/A | 6.1 MEDIUM |
| The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks. | |||||
| CVE-2023-6037 | 1 Ljapps | 1 Wp Tripadvisor Review Slider | 2024-01-08 | N/A | 4.8 MEDIUM |
| The WP TripAdvisor Review Slider WordPress plugin before 11.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-50550 | 1 Layui | 1 Layui | 2024-01-08 | N/A | 5.4 MEDIUM |
| layui up to v2.74 was discovered to contain a cross-site scripting (XSS) vulnerability via the data-content parameter. | |||||
| CVE-2023-52240 | 1 Kantega-sso | 1 Kantega Saml Sso Oidc Kerberos Single Sign-on | 2024-01-08 | N/A | 6.1 MEDIUM |
| The Kantega SAML SSO OIDC Kerberos Single Sign-on apps before 6.20.0 for Atlassian products allow XSS if SAML POST Binding is enabled. This affects 4.4.2 through 4.14.8 before 4.14.9, 5.0.0 through 5.11.4 before 5.11.5, and 6.0.0 through 6.19.0 before 6.20.0. The full product names are Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Data Center & Server (Kantega SSO Enterprise), and Kantega SAML SSO OIDC Kerberos Single Sign-on for FeCru Server (Kantega SSO Enterprise). (Here, FeCru refers to the Atlassian Fisheye and Crucible products running together.) | |||||
| CVE-2023-6710 | 2 Modcluster, Redhat | 2 Mod Proxy Cluster, Enterprise Linux | 2024-01-08 | N/A | 5.4 MEDIUM |
| A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page. | |||||
| CVE-2024-0189 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-01-08 | N/A | 5.4 MEDIUM |
| A vulnerability has been found in RRJ Nueva Ecija Engineer Online Portal 1.0 and classified as problematic. This vulnerability affects unknown code of the file teacher_message.php of the component Create Message Handler. The manipulation of the argument Content with the input </title><scRipt>alert(x)</scRipt> leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249502 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-0190 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-01-08 | N/A | 5.4 MEDIUM |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0 and classified as problematic. This issue affects some unknown processing of the file add_quiz.php of the component Quiz Handler. The manipulation of the argument Quiz Title/Quiz Description with the input </title><scRipt>alert(x)</scRipt> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249503. | |||||
| CVE-2023-7173 | 1 Phpgurukul | 1 Hospital Management System | 2024-01-08 | N/A | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in PHPGurukul Hospital Management System 1.0. This affects an unknown part of the file registration.php. The manipulation of the argument First Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249357 was assigned to this vulnerability. | |||||
| CVE-2023-31302 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-01-08 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) 6.3.8.6 (#718), allows remote attackers to execute arbitrary code via the Teller field. | |||||
| CVE-2023-31299 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-01-08 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to execute arbitrary code via the Barcode field of a container. | |||||
| CVE-2023-5758 | 1 Mozilla | 1 Firefox | 2024-01-07 | N/A | 6.1 MEDIUM |
| When opening a page in reader mode, the redirect URL could have caused attacker-controlled script to execute in a reflected Cross-Site Scripting (XSS) attack. This vulnerability affects Firefox for iOS < 119. | |||||
| CVE-2023-50069 | 1 Wiremock | 1 Wiremock | 2024-01-05 | N/A | 6.1 MEDIUM |
| WireMock with GUI versions 3.2.0.0 through 3.0.4.0 are vulnerable to stored cross-site scripting (SXSS) through the recording feature. An attacker can host a malicious payload and perform a test mapping pointing to the attacker's file, and the result will render on the Matched page in the Body area, resulting in the execution of the payload. This occurs because the response body is not validated or sanitized. | |||||
| CVE-2023-52269 | 1 Mdaemon | 1 Securitygateway | 2024-01-05 | N/A | 4.8 MEDIUM |
| MDaemon SecurityGateway through 9.0.3 allows XSS via a crafted Message Content Filtering rule. This might allow domain administrators to conduct attacks against global administrators. | |||||
| CVE-2023-52264 | 1 Thirtybees | 1 Bees Blog | 2024-01-05 | N/A | 6.1 MEDIUM |
| The beesblog (aka Bees Blog) component before 1.6.2 for thirty bees allows Reflected XSS because controllers/front/post.php sharing_url is mishandled. | |||||
| CVE-2023-50892 | 1 Codex-themes | 1 Thegem | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme allows Reflected XSS.This issue affects TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme: from n/a through 5.9.1. | |||||
| CVE-2023-7171 | 1 Xxyopen | 1 Novel-plus | 2024-01-05 | N/A | 4.8 MEDIUM |
| A vulnerability was found in Novel-Plus up to 4.2.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file novel-admin/src/main/java/com/java2nb/novel/controller/FriendLinkController.java of the component Friendly Link Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named d6093d8182362422370d7eaf6c53afde9ee45215. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-249307. | |||||
| CVE-2023-50891 | 1 Zohocorp | 1 Zoho Forms | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress – Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress – Zoho Forms: from n/a through 3.0.1. | |||||
| CVE-2023-50893 | 1 Upsolution | 1 Impreza | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution Impreza – WordPress Website and WooCommerce Builder allows Reflected XSS.This issue affects Impreza – WordPress Website and WooCommerce Builder: from n/a through 8.17.4. | |||||
| CVE-2023-52257 | 1 Logobee | 1 Logobee | 2024-01-05 | N/A | 6.1 MEDIUM |
| LogoBee 0.2 allows updates.php?id= XSS. | |||||
| CVE-2023-50889 | 1 Fastlinemedia | 1 Beaver Builder | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Beaver Builder Team Beaver Builder – WordPress Page Builder allows Stored XSS.This issue affects Beaver Builder – WordPress Page Builder: from n/a through 2.7.2. | |||||
| CVE-2023-50881 | 1 Vasyltech | 1 Advanced Access Manager | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AAM Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More allows Stored XSS.This issue affects Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More: from n/a through 6.9.15. | |||||
| CVE-2023-50880 | 1 Buddypress | 1 Buddypress | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The BuddyPress Community BuddyPress allows Stored XSS.This issue affects BuddyPress: from n/a through 11.3.1. | |||||
| CVE-2023-50879 | 1 Automattic | 1 Wordpress.com Editing Toolkit | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WordPress.Com Editing Toolkit allows Stored XSS.This issue affects WordPress.Com Editing Toolkit: from n/a through 3.78784. | |||||
| CVE-2023-50901 | 1 Hasthemes | 1 Ht Mega - Absolute Addons For Elementor Page Builder | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes HT Mega – Absolute Addons For Elementor allows Reflected XSS.This issue affects HT Mega – Absolute Addons For Elementor: from n/a through 2.3.8. | |||||
| CVE-2023-50896 | 1 Weformspro | 1 Weforms | 2024-01-05 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weForms weForms – Easy Drag & Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms – Easy Drag & Drop Contact Form Builder For WordPress: from n/a through 1.6.17. | |||||
| CVE-2021-38927 | 3 Ibm, Linux, Microsoft | 3 Aspera Console, Linux Kernel, Windows | 2024-01-05 | N/A | 6.1 MEDIUM |
| IBM Aspera Console 3.4.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 210322. | |||||
| CVE-2023-50470 | 1 Seacms | 1 Seacms | 2024-01-05 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in the component admin_ Video.php of SeaCMS v12.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2023-7166 | 1 Xxyopen | 1 Novel-plus | 2024-01-05 | N/A | 5.4 MEDIUM |
| A vulnerability classified as problematic has been found in Novel-Plus up to 4.2.0. This affects an unknown part of the file /user/updateUserInfo of the component HTTP POST Request Handler. The manipulation of the argument nickName leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is c62da9bb3a9b3603014d0edb436146512631100d. It is recommended to apply a patch to fix this issue. The identifier VDB-249201 was assigned to this vulnerability. | |||||