Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-38307 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Users and Groups functionality. The vulnerability occurs when an authenticated user adds a new user and inserts an XSS payload into the user's real name. | |||||
| CVE-2023-38309 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue was discovered in Webmin 2.021. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the package search functionality. The vulnerability allows an attacker to inject a malicious payload in the "Search for Package" field, which gets reflected back in the application's response, leading to the execution of arbitrary JavaScript code within the context of the victim's browser. | |||||
| CVE-2023-38308 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 6.1 MEDIUM |
| An issue was discovered in Webmin 2.021. A Cross-Site Scripting (XSS) vulnerability was discovered in the HTTP Tunnel functionality when handling third-party domain URLs. By providing a crafted URL from a third-party domain, an attacker can inject malicious code. leading to the execution of arbitrary JavaScript code within the context of the victim's browser. | |||||
| CVE-2023-38310 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the configuration settings of the system logs functionality. The vulnerability allows an attacker to store an XSS payload in the configuration settings of specific log files. This results in the execution of that payload whenever the affected log files are accessed. | |||||
| CVE-2023-38311 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the System Logs Viewer functionality. The vulnerability allows an attacker to store a malicious payload in the configuration field, triggering the execution of the payload when saving the configuration or when accessing the System Logs Viewer page. | |||||
| CVE-2023-38303 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. One can exploit a stored Cross-Site Scripting (XSS) attack to achieve Remote Command Execution (RCE) through the Users and Group's real name parameter. | |||||
| CVE-2023-33560 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-08-04 | N/A | 6.1 MEDIUM |
| There is a Cross Site Scripting (XSS) vulnerability in "cid" parameter of preview.php in PHPJabbers Time Slots Booking Calendar v3.3. | |||||
| CVE-2023-38304 | 1 Webmin | 1 Webmin | 2023-08-04 | N/A | 5.4 MEDIUM |
| An issue was discovered in Webmin 2.021. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Users and Groups functionality, allowing an attacker to store a malicious payload in the Group Name field when creating a new group. | |||||
| CVE-2023-33564 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2023-08-04 | N/A | 6.1 MEDIUM |
| There is a Cross Site Scripting (XSS) vulnerability in the "theme" parameter of preview.php in PHPJabbers Time Slots Booking Calendar v3.3. | |||||
| CVE-2023-35792 | 1 Vound-software | 1 Intella Connect | 2023-08-04 | N/A | 6.1 MEDIUM |
| Vound Intella Connect 2.6.0.3 is vulnerable to stored Cross-site Scripting (XSS). | |||||
| CVE-2023-36211 | 1 Cubiclesoft | 1 Barebones Cms | 2023-08-04 | N/A | 5.4 MEDIUM |
| The Barebones CMS v2.0.2 is vulnerable to Stored Cross-Site Scripting (XSS) when an authenticated user interacts with certain features on the admin panel. | |||||
| CVE-2023-3130 | 1 Kaizencoders | 1 Short Url | 2023-08-03 | N/A | 4.8 MEDIUM |
| The Short URL WordPress plugin before 1.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-3134 | 1 Incsub | 1 Forminator | 2023-08-03 | N/A | 6.1 MEDIUM |
| The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks. | |||||
| CVE-2023-0602 | 1 Johnniejodelljr | 1 Twittee Text Tweet | 2023-08-03 | N/A | 6.1 MEDIUM |
| The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen. | |||||
| CVE-2021-31651 | 1 Neofr | 1 Neofrag | 2023-08-03 | N/A | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in neofarg-cms 0.2.3 allows remoate attacker to run arbitrary code via the copyright field in copyright settings. | |||||
| CVE-2023-4007 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-08-03 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.16. | |||||
| CVE-2023-37467 | 1 Discourse | 1 Discourse | 2023-08-03 | N/A | 5.4 MEDIUM |
| Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous (i.e. unauthenticated) users. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to bypass CSP and execute successfully. This vulnerability isn't applicable to logged-in users. Version 3.1.0.beta7 contains a patch. The stable branch doesn't have this vulnerability. A workaround to prevent the vulnerability is to disable Google Tag Manager, i.e., unset the `gtm container id` setting. | |||||
| CVE-2023-3990 | 1 Mingsoft | 1 Mcms | 2023-08-03 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in Mingsoft MCMS up to 5.3.1. This affects an unknown part of the file search.do of the component HTTP POST Request Handler. The manipulation of the argument style leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-235611. | |||||
| CVE-2023-3989 | 1 Jewelry Store System Project | 1 Jewelry Store System | 2023-08-03 | N/A | 6.1 MEDIUM |
| A vulnerability was found in SourceCodester Jewelry Store System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file add_customer.php. The manipulation leads to cross site scripting. The attack may be launched remotely. VDB-235610 is the identifier assigned to this vulnerability. | |||||
| CVE-2012-4242 | 2 Mf Gig Calendar Project, Wordpress | 2 Mf Gig Calendar, Wordpress | 2023-08-03 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. | |||||
| CVE-2023-3970 | 1 Gzscripts | 1 Availability Booking Calendar Php | 2023-08-02 | N/A | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in GZ Scripts Availability Booking Calendar PHP 1.0. This affects an unknown part of the file /index.php?controller=GzUser&action=edit&id=1 of the component Image Handler. The manipulation of the argument img leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235569 was assigned to this vulnerability. | |||||
| CVE-2023-3969 | 1 Gzscripts | 1 Availability Booking Calendar Php | 2023-08-02 | N/A | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in GZ Scripts Availability Booking Calendar PHP 1.0. Affected by this issue is some unknown functionality of the file index.php of the component HTTP POST Request Handler. The manipulation of the argument promo_code leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-235568. | |||||
| CVE-2023-37980 | 1 Custom Field For Wp Job Manager Project | 1 Custom Field For Wp Job Manager | 2023-08-02 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gravity Master Custom Field For WP Job Manager plugin <= 1.1 versions. | |||||
| CVE-2023-37993 | 1 Maennchen1 | 1 Wpshopgermany It-recht Kanzlei | 2023-08-02 | N/A | 4.8 MEDIUM |
| Auth. Stored Cross-Site Scripting (XSS) vulnerability in maennchen1.De wpShopGermany IT-RECHT KANZLEI plugin <= 1.7 versions. | |||||
| CVE-2023-37970 | 1 Mf Gig Calendar Project | 1 Mf Gig Calendar | 2023-08-02 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Matthew Fries MF Gig Calendar plugin <= 1.2 versions. | |||||
| CVE-2023-37981 | 1 Wpkube | 1 Authors List | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPKube Authors List plugin <= 2.0.2 versions. | |||||
| CVE-2023-37894 | 1 Radiustheme | 1 Variation Images Gallery For Woocommerce | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Images Gallery for WooCommerce plugin <= 2.3.3 versions. | |||||
| CVE-2023-37975 | 1 Variation Swatches For Woocommerce Project | 1 Variation Swatches For Woocommerce | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Swatches for WooCommerce plugin <= 2.3.7 versions. | |||||
| CVE-2023-37976 | 1 Radioforge | 1 Radio Forge Muses Player With Skins | 2023-08-02 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Radio Forge Muses Player with Skins plugin <= 2.5 versions. | |||||
| CVE-2023-38501 | 1 Copyparty Project | 1 Copyparty | 2023-08-02 | N/A | 6.1 MEDIUM |
| copyparty is file server software. Prior to version 1.8.7, the application contains a reflected cross-site scripting via URL-parameter `?k304=...` and `?setck=...`. The worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link. It is recommended to change the passwords of one's copyparty accounts, unless one have inspected one's logs and found no trace of attacks. Version 1.8.7 contains a patch for the issue. | |||||
| CVE-2023-3945 | 1 Phpscriptpoint | 1 Lawyer | 2023-08-02 | N/A | 6.1 MEDIUM |
| A vulnerability was found in phpscriptpoint Lawyer 1.6. It has been classified as problematic. This affects an unknown part of the file search.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The identifier VDB-235401 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-3384 | 1 Redhat | 1 Quay | 2023-08-02 | N/A | 5.4 MEDIUM |
| A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS). | |||||
| CVE-2023-38500 | 1 Typo3 | 1 Html Sanitizer | 2023-08-02 | N/A | 6.1 MEDIUM |
| TYPO3 HTML Sanitizer is an HTML sanitizer, written in PHP, aiming to provide cross-site-scripting-safe markup based on explicitly allowed tags, attributes and values. Starting in version 1.0.0 and prior to versions 1.5.1 and 2.1.2, due to an encoding issue in the serialization layer, malicious markup nested in a `noscript` element was not encoded correctly. `noscript` is disabled in the default configuration, but might have been enabled in custom scenarios. This allows bypassing the cross-site scripting mechanism of TYPO3 HTML Sanitizer. Versions 1.5.1 and 2.1.2 fix the problem. | |||||
| CVE-2007-4165 | 1 Xuyiyang | 1 Blue Memories Theme | 2023-08-02 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in the Blue Memories theme 1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter, possibly a related issue to CVE-2007-2757 and CVE-2007-4014. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2008-0618 | 1 Dmsguestbook Project | 1 Dmsguestbook | 2023-08-02 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.8.0 and 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) gbname, (2) gbemail, (3) gburl, and (4) gbmsg parameters to unspecified programs. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2008-0617 | 1 Dmsguestbook Project | 1 Dmsguestbook | 2023-08-02 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the DMSGuestbook 1.7.0 plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) file parameter to wp-admin/admin.php, or the (2) messagefield parameter in the guestbook page, and the (3) title parameter in the messagearea. | |||||
| CVE-2023-35929 | 1 Enalean | 1 Tuleap | 2023-08-02 | N/A | 5.4 MEDIUM |
| Tuleap is a free and open source suite to improve management of software development and collaboration. Prior to version 14.10.99.4 of Tuleap Community Edition and prior to versions 14.10-2 and 14.9-5 of Tuleap Enterprise Edition, content displayed in the "card fields" (visible in the kanban and PV2 apps) is not properly escaped. A malicious user with the capability to create an artifact or to edit a field used as a card field could force victim to execute uncontrolled code. Tuleap Community Edition 14.10.99.4, Tuleap Enterprise Edition 14.10-2, and Tuleap Enterprise Edition 14.9-5 contain a fix. | |||||
| CVE-2023-1890 | 1 Pauple | 1 Tablesome | 2023-08-02 | N/A | 6.1 MEDIUM |
| The Tablesome WordPress plugin before 1.0.9 does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site Scripting | |||||
| CVE-2021-24909 | 1 Navz | 1 Acf Photo Gallery Field | 2023-08-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2023-2223 | 1 12net | 1 Login Rebuilder | 2023-08-02 | N/A | 4.8 MEDIUM |
| The Login rebuilder WordPress plugin before 2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-2224 | 1 10web | 1 Seo | 2023-08-02 | N/A | 4.8 MEDIUM |
| The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2021-28359 | 1 Apache | 1 Airflow | 2023-08-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions <1.10.15 in 1.x series and affects 2.0.0 and 2.0.1 and 2.x series. This is the same as CVE-2020-13944 & CVE-2020-17515 but the implemented fix did not fix the issue completely. Update to Airflow 1.10.15 or 2.0.2. Please also update your Python version to the latest available PATCH releases of the installed MINOR versions, example update to Python 3.6.13 if you are on Python 3.6. (Those contain the fix for CVE-2021-23336 https://nvd.nist.gov/vuln/detail/CVE-2021-23336). | |||||
| CVE-2007-6677 | 1 Peters Software | 1 Random Anti-spam Image | 2023-08-02 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Peter's Random Anti-Spam Image 0.2.4 and earlier plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the comment field in the comment form. | |||||
| CVE-2023-2605 | 1 Wp Brutal Ai Project | 1 Wp Brutal Ai | 2023-08-02 | N/A | 6.1 MEDIUM |
| The wpbrutalai WordPress plugin before 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin. | |||||
| CVE-2023-37150 | 1 Online Pizza Ordering System Project | 1 Online Pizza Ordering System | 2023-08-02 | N/A | 6.1 MEDIUM |
| Sourcecodester Online Pizza Ordering System v1.0 has a Cross-site scripting (XSS) vulnerability in "/admin/index.php?page=categories" Category item. | |||||
| CVE-2023-37153 | 1 Kodcloud | 1 Kodexplorer | 2023-08-02 | N/A | 6.1 MEDIUM |
| KodExplorer 4.51 contains a Cross-Site Scripting (XSS) vulnerability in the Description box of the Light App creation feature. An attacker can exploit this vulnerability by injecting XSS syntax into the Description field. | |||||
| CVE-2022-0565 | 1 Pimcore | 1 Pimcore | 2023-08-02 | 5.0 MEDIUM | 7.5 HIGH |
| Cross-site Scripting in Packagist pimcore/pimcore prior to 10.3.1. | |||||
| CVE-2022-0121 | 1 Hoppscotch | 1 Hoppscotch | 2023-08-02 | 6.0 MEDIUM | 8.0 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hoppscotch hoppscotch/hoppscotch.This issue affects hoppscotch/hoppscotch before 2.1.1. | |||||
| CVE-2022-0282 | 1 Microweber | 1 Microweber | 2023-08-02 | 5.0 MEDIUM | 7.5 HIGH |
| Cross-site Scripting in Packagist microweber/microweber prior to 1.2.11. | |||||
| CVE-2023-25841 | 1 Esri | 1 Arcgis | 2023-08-02 | N/A | 6.1 MEDIUM |
| There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 10.8.1 – 11.0 on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. Mitigation: Disable anonymous access to ArcGIS Feature services with edit capabilities. | |||||