Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-28865 | 1 Nokia | 1 Netact | 2023-08-02 | N/A | 5.4 MEDIUM |
| An issue was discovered in Nokia NetAct 22 through the Site Configuration Tool website section. A malicious user can change a filename of an uploaded file to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /netact/sct filename parameter is used. | |||||
| CVE-2022-28867 | 1 Nokia | 1 Netact | 2023-08-02 | N/A | 5.4 MEDIUM |
| An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include JavaScript code, which is then stored and executed by a victim's web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used. | |||||
| CVE-2023-37692 | 1 Octobercms | 1 October | 2023-08-02 | N/A | 5.4 MEDIUM |
| An arbitrary file upload vulnerability in October CMS v3.4.4 allows attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2023-37623 | 1 Netdisco | 1 Netdisco | 2023-08-02 | N/A | 4.8 MEDIUM |
| Netdisco before v2.063000 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /Web/TypeAhead.pm. | |||||
| CVE-2021-28461 | 1 Microsoft | 1 Dynamics 365 | 2023-08-02 | 3.5 LOW | 6.1 MEDIUM |
| Dynamics Finance and Operations Cross-site Scripting Vulnerability | |||||
| CVE-2021-41354 | 1 Microsoft | 1 Dynamics 365 | 2023-08-01 | 3.5 LOW | 5.4 MEDIUM |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||
| CVE-2022-31455 | 1 Truedesk | 1 Truedesk | 2023-08-01 | N/A | 6.1 MEDIUM |
| * A cross-site scripting (XSS) vulnerability in Truedesk v1.2.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a user chat box. | |||||
| CVE-2022-31456 | 1 Truedesk | 1 Truedesk | 2023-08-01 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Truedesk v1.2.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the team name parameter. | |||||
| CVE-2023-37257 | 1 Dataease | 1 Dataease | 2023-08-01 | N/A | 5.4 MEDIUM |
| DataEase is an open source data visualization analysis tool. Prior to version 1.18.9, the DataEase panel and dataset have a stored cross-site scripting vulnerability. The vulnerability has been fixed in v1.18.9. There are no known workarounds. | |||||
| CVE-2023-25840 | 1 Esri | 1 Arcgis | 2023-08-01 | N/A | 3.4 LOW |
| There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 10.8.1 – 11.1 that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser. The privileges required to execute this attack are high. | |||||
| CVE-2023-37905 | 1 Ckeditor-wordcount-plugin Project | 1 Ckeditor-wordcount-plugin | 2023-08-01 | N/A | 6.1 MEDIUM |
| ckeditor-wordcount-plugin is an open source WordCount Plugin for CKEditor. It has been discovered that the `ckeditor-wordcount-plugin` plugin for CKEditor4 is susceptible to cross-site scripting when switching to the source code mode. This issue has been addressed in version 1.17.12 of the `ckeditor-wordcount-plugin` plugin and users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-39175 | 1 Jetbrains | 1 Teamcity | 2023-08-01 | N/A | 6.1 MEDIUM |
| In JetBrains TeamCity before 2023.05.2 reflected XSS via GitHub integration was possible | |||||
| CVE-2021-39421 | 1 Seeddms | 1 Seeddms | 2023-08-01 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in SeedDMS v6.0.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2023-36503 | 1 Maxfoundry | 1 Maxbuttons | 2023-08-01 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Max Foundry WordPress Button Plugin MaxButtons plugin <= 9.5.3 versions. | |||||
| CVE-2023-36502 | 1 Cththemes | 1 Balkon | 2023-08-01 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cththemes Balkon plugin <= 1.3.2 versions. | |||||
| CVE-2023-36385 | 1 Wpxpo | 1 Postx | 2023-08-01 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wpxpo PostX – Gutenberg Post Grid Blocks plugin <= 2.9.9 versions. | |||||
| CVE-2023-37613 | 1 Assemblysoftware | 1 Trialworks | 2023-07-31 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Assembly Software Trialworks v11.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the asset src parameter. | |||||
| CVE-2023-3790 | 1 Uxblondon | 1 Boom Cms | 2023-07-31 | N/A | 5.4 MEDIUM |
| A vulnerability has been found in Boom CMS 8.0.7 and classified as problematic. Affected by this vulnerability is the function add of the component assets-manager. The manipulation of the argument title/description leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235057 was assigned to this vulnerability. | |||||
| CVE-2023-37901 | 1 Cern | 1 Indico | 2023-07-31 | N/A | 5.4 MEDIUM |
| Indico is an open source a general-purpose, web based event management tool. There is a Cross-Site-Scripting vulnerability in confirmation prompts commonly used when deleting content from Indico. Exploitation requires someone with at least submission privileges (such as a speaker) and then someone else to attempt to delete this content. Considering that event organizers may want to delete suspicious-looking content when spotting it, there is a non-negligible risk of such an attack to succeed. The risk of this could be further increased when combined with some some social engineering pointing the victim towards this content. Users need to update to Indico 3.2.6 as soon as possible. See the docs for instructions on how to update. Users who cannot upgrade should only let trustworthy users manage categories, create events or upload materials ("submission" privileges on a contribution/event). This should already be the case in a properly-configured setup when it comes to category/event management. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows. | |||||
| CVE-2023-3944 | 1 Phpscriptpoint | 1 Lawyer | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability was found in phpscriptpoint Lawyer 1.6 and classified as problematic. Affected by this issue is some unknown functionality of the file page.php. The manipulation leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-235400. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-3855 | 1 Phpscriptpoint | 1 Jobseeker | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic was found in phpscriptpoint JobSeeker 1.5. Affected by this vulnerability is an unknown functionality of the file /search-result.php. The manipulation of the argument kw/lc/ct/cp/p leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-235207. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-3856 | 1 Phpscriptpoint | 1 Ecommerce | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in phpscriptpoint Ecommerce 1.15. Affected by this issue is some unknown functionality of the file /blog-single.php. The manipulation of the argument slug leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-235208. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-3857 | 1 Phpscriptpoint | 1 Ecommerce | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in phpscriptpoint Ecommerce 1.15. This affects an unknown part of the file /product.php. The manipulation of the argument id leads to cross site scripting. It is possible to initiate the attack remotely. The identifier VDB-235209 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-23833 | 1 Drop Shadow Boxes Project | 1 Drop Shadow Boxes | 2023-07-31 | N/A | 5.4 MEDIUM |
| Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Steven Henty Drop Shadow Boxes plugin <= 1.7.10 versions. | |||||
| CVE-2023-35043 | 1 Recent Posts Slider Project | 1 Recent Posts Slider | 2023-07-31 | N/A | 6.1 MEDIUM |
| Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Neha Goel Recent Posts Slider plugin <= 1.1 versions. | |||||
| CVE-2023-33925 | 1 Pluginforage | 1 Woocommerce Product Categories Selection Widget | 2023-07-31 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in PluginForage WooCommerce Product Categories Selection Widget plugin <= 2.0 versions. | |||||
| CVE-2023-34017 | 1 Fivestarplugins | 1 Five Star Restaurant Menu | 2023-07-31 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FiveStarPlugins Five Star Restaurant Reservations plugin <= 2.6.7 versions. | |||||
| CVE-2023-3858 | 1 Phpscriptpoint | 1 Car Listing | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in phpscriptpoint Car Listing 1.6 and classified as problematic. This vulnerability affects unknown code of the file /search.php. The manipulation of the argument country/state/city leads to cross site scripting. The attack can be initiated remotely. VDB-235210 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-34369 | 1 Login Configurator Project | 1 Login Configurator | 2023-07-31 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in GrandSlambert Login Configurator plugin <= 2.1 versions. | |||||
| CVE-2023-38617 | 1 Mobisystems | 1 Office Suite | 2023-07-31 | N/A | 6.1 MEDIUM |
| Office Suite Premium Version v10.9.1.42602 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the filter parameter at /api?path=files. | |||||
| CVE-2023-3862 | 1 Travelable Trek Management Solution Project | 1 Travelable Trek Management Solution | 2023-07-31 | N/A | 4.7 MEDIUM |
| A vulnerability was found in Travelmate Travelable Trek Management Solution 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Comment Box Handler. The manipulation of the argument comment leads to cross site scripting. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. VDB-235214 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-2029 | 1 Enzipe | 1 Prepost Seo | 2023-07-31 | N/A | 4.8 MEDIUM |
| The PrePost SEO WordPress plugin through 3.0 does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-3319 | 1 Idisplay | 1 Platplay Ds | 2023-07-31 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iDisplay PlatPlay DS allows Stored XSS.This issue affects PlatPlay DS: before 3.14. | |||||
| CVE-2023-3860 | 1 Phpscriptpoint | 1 Insurance | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability was found in phpscriptpoint Insurance 1.2. It has been classified as problematic. Affected is an unknown function of the file /page.php. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-235212. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-3861 | 1 Phpscriptpoint | 1 Insurance | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability was found in phpscriptpoint Insurance 1.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /search.php. The manipulation leads to cross site scripting. The attack can be launched remotely. The identifier VDB-235213 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-2309 | 1 Gvectors | 1 Wpforo Forum | 2023-07-31 | N/A | 6.1 MEDIUM |
| The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a Reflected Cross-Site Scripting vulnerability. | |||||
| CVE-2023-3344 | 1 Auto Location For Wp Job Manager Via Google Project | 1 Auto Location For Wp Job Manager Via Google | 2023-07-31 | N/A | 4.8 MEDIUM |
| The Auto Location for WP Job Manager via Google WordPress plugin before 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-3248 | 1 Premio | 1 My Sticky Elements | 2023-07-31 | N/A | 4.8 MEDIUM |
| The All-in-one Floating Contact Form WordPress plugin before 2.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-3853 | 1 Phpscriptpoint | 1 Bloodbank | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability was found in phpscriptpoint BloodBank 1.1. It has been rated as problematic. This issue affects some unknown processing of the file page.php. The manipulation leads to cross site scripting. The attack may be initiated remotely. The identifier VDB-235205 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2023-37164 | 1 Diafan | 1 Diafan.cms | 2023-07-31 | N/A | 6.1 MEDIUM |
| Diafan CMS v6.0 was discovered to contain a reflected cross-site scripting via the cat_id parameter at /shop/?module=shop&action=search. | |||||
| CVE-2023-37600 | 1 Mobisystems | 1 Office Suite | 2023-07-31 | N/A | 6.1 MEDIUM |
| Office Suite Premium Version v10.9.1.42602 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the id parameter at /api?path=profile. | |||||
| CVE-2023-37602 | 1 Alkacon | 1 Opencms | 2023-07-31 | N/A | 6.1 MEDIUM |
| An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file. | |||||
| CVE-2023-3815 | 1 Ruoyi | 1 Ruoyi | 2023-07-31 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in y_project RuoYi up to 4.7.7. Affected by this issue is the function uploadFilesPath of the component File Upload. The manipulation of the argument originalFilenames leads to cross site scripting. The attack may be launched remotely. VDB-235118 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-36675 | 1 Mediawiki | 1 Mediawiki | 2023-07-31 | N/A | 6.1 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1.38.x before 1.38.7, and 1.39.x before 1.39.4. BlockLogFormatter.php in BlockLogFormatter allows XSS in the partial blocks feature. | |||||
| CVE-2023-3887 | 1 Campcodes | 1 Beauty Salon Management System | 2023-07-28 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Campcodes Beauty Salon Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/search-appointment.php. The manipulation of the argument searchdata leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235249 was assigned to this vulnerability. | |||||
| CVE-2023-3884 | 1 Campcodes | 1 Beauty Salon Management System | 2023-07-28 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in Campcodes Beauty Salon Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/edit_product.php. The manipulation of the argument id leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-235246 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-3885 | 1 Campcodes | 1 Beauty Salon Management System | 2023-07-28 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Campcodes Beauty Salon Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /admin/edit_category.php. The manipulation of the argument id leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-235247. | |||||
| CVE-2023-3883 | 1 Campcodes | 1 Beauty Salon Management System | 2023-07-28 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Campcodes Beauty Salon Management System 1.0. This affects an unknown part of the file /admin/add-category.php. The manipulation of the argument name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235245 was assigned to this vulnerability. | |||||
| CVE-2023-3886 | 1 Campcodes | 1 Beauty Salon Management System | 2023-07-28 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Campcodes Beauty Salon Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /admin/invoice.php. The manipulation of the argument inv_id leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-235248. | |||||
| CVE-2023-3840 | 1 Nxfilter | 1 Nxfilter | 2023-07-28 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in NxFilter 4.3.2.5. This affects an unknown part of the file /report,daily.jsp?stime=2023%2F07%2F12&timeOption=yesterday&. The manipulation of the argument user leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-235191. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||