Search
Total
20468 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-125109 | 1 Bestwebsoft | 1 Portfolio | 2024-01-05 | N/A | 6.1 MEDIUM |
| A vulnerability was found in BestWebSoft Portfolio Plugin up to 2.27. It has been declared as problematic. This vulnerability affects the function bws_add_menu_render of the file bws_menu/bws_menu.php. The manipulation of the argument bwsmn_form_email leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 2.28 is able to address this issue. The name of the patch is d2ede580474665af56ff262a05783fbabe4529b8. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-248956. | |||||
| CVE-2015-10127 | 1 Bestwebsoft | 1 Pluscaptcha | 2024-01-05 | N/A | 6.1 MEDIUM |
| A vulnerability was found in PlusCaptcha Plugin up to 2.0.6 on WordPress and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 2.0.14 is able to address this issue. The patch is identified as 1274afc635170daafd38306487b6bb8a01f78ecd. It is recommended to upgrade the affected component. VDB-248954 is the identifier assigned to this vulnerability. | |||||
| CVE-2021-24830 | 1 Vasyltech | 1 Advanced Access Manager | 2024-01-05 | 3.5 LOW | 4.8 MEDIUM |
| The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2023-7160 | 1 Janobe | 1 Engineers Online Portal | 2024-01-05 | N/A | 6.1 MEDIUM |
| A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Add Engineer Handler. The manipulation of the argument first name/last name with the input <script>alert(0)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249182 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-50924 | 1 Engelsystem | 1 Engelsystem | 2024-01-05 | N/A | 5.4 MEDIUM |
| Englesystem is a shift planning system for chaos events. Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user's context. This vulnerability enables an authenticated user to inject Javascript into other user's sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages. This issue has been fixed in version 3.4.1. | |||||
| CVE-2021-3672 | 6 C-ares Project, Fedoraproject, Nodejs and 3 more | 17 C-ares, Fedora, Node.js and 14 more | 2024-01-05 | 6.8 MEDIUM | 5.6 MEDIUM |
| A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. | |||||
| CVE-2023-7113 | 1 Mattermost | 1 Mattermost Server | 2024-01-05 | N/A | 6.1 MEDIUM |
| Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client. | |||||
| CVE-2023-51399 | 1 Wpfactory | 1 Back Button Widget | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Back Button Widget allows Stored XSS.This issue affects Back Button Widget: from n/a through 1.6.3. | |||||
| CVE-2023-51541 | 1 Urosevic | 1 Stock Ticker | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Uroševi? Stock Ticker allows Stored XSS.This issue affects Stock Ticker: from n/a through 3.23.4. | |||||
| CVE-2023-51397 | 1 Brainstormforce | 1 Wp Remote Site Search | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force WP Remote Site Search allows Stored XSS.This issue affects WP Remote Site Search: from n/a through 1.0.4. | |||||
| CVE-2023-51374 | 1 Zerobounce | 1 Zerobounce Email Verification \& Validation | 2024-01-05 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZeroBounce ZeroBounce Email Verification & Validation allows Stored XSS.This issue affects ZeroBounce Email Verification & Validation: from n/a through 1.0.11. | |||||
| CVE-2023-51396 | 1 Brizy | 1 Brizy-page Builder | 2024-01-05 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brizy.Io Brizy – Page Builder allows Stored XSS.This issue affects Brizy – Page Builder: from n/a through 2.4.29. | |||||
| CVE-2023-51372 | 1 Hasthemes | 1 Hashbar | 2024-01-05 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes HashBar – WordPress Notification Bar allows Stored XSS.This issue affects HashBar – WordPress Notification Bar: from n/a through 1.4.1. | |||||
| CVE-2023-51373 | 1 Nakunakifi | 1 Google Photos Gallery With Shortcodes | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ian Kennerley Google Photos Gallery with Shortcodes allows Reflected XSS.This issue affects Google Photos Gallery with Shortcodes: from n/a through 4.0.2. | |||||
| CVE-2023-51371 | 1 Bitapps | 1 Bit Assist | 2024-01-05 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bit Assist Chat Widget: WhatsApp Chat, Facebook Messenger Chat, Telegram Chat Bubble, Line Messenger, Live Chat Support Chat Button, WeChat, SMS, Call Button, Customer Support Button with floating Chat Widget allows Stored XSS.This issue affects Chat Widget: WhatsApp Chat, Facebook Messenger Chat, Telegram Chat Bubble, Line Messenger, Live Chat Support Chat Button, WeChat, SMS, Call Button, Customer Support Button with floating Chat Widget: from n/a through 1.1.9. | |||||
| CVE-2023-51361 | 1 Gingerplugins | 1 Sticky Chat Widget | 2024-01-05 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ginger Plugins Sticky Chat Widget: Click to chat, SMS, Email, Messages, Call Button, Live Chat and Live Support Button allows Stored XSS.This issue affects Sticky Chat Widget: Click to chat, SMS, Email, Messages, Call Button, Live Chat and Live Support Button: from n/a through 1.1.8. | |||||
| CVE-2023-41814 | 1 Pandorafms | 1 Pandora Fms | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). Through an HTML payload (iframe tag) it is possible to carry out XSS attacks when the user receiving the messages opens their notifications. This issue affects Pandora FMS: from 700 through 774. | |||||
| CVE-2023-41813 | 1 Pandorafms | 1 Pandora Fms | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). Allows you to edit the Web Console user notification options. This issue affects Pandora FMS: from 700 through 774. | |||||
| CVE-2023-41815 | 1 Pandorafms | 1 Pandora Fms | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). Malicious code could be executed in the File Manager section. This issue affects Pandora FMS: from 700 through 774. | |||||
| CVE-2023-44089 | 1 Pandorafms | 1 Pandora Fms | 2024-01-05 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). It was possible to execute malicious JS code on Visual Consoles. This issue affects Pandora FMS: from 700 through 774. | |||||
| CVE-2023-52084 | 1 Wintercms | 1 Winter | 2024-01-05 | N/A | 5.4 MEDIUM |
| Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4. | |||||
| CVE-2023-52083 | 1 Wintercms | 1 Winter | 2024-01-05 | N/A | 4.8 MEDIUM |
| Winter is a free, open-source content management system. Prior to 1.2.4, users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. This issue has been patched in v1.2.4. | |||||
| CVE-2023-7132 | 1 Carmelogarcia | 1 Intern Membership Management System | 2024-01-04 | N/A | 5.4 MEDIUM |
| A vulnerability was found in code-projects Intern Membership Management System 2.0. It has been classified as problematic. This affects an unknown part of the file /user_registration/ of the component User Registration. The manipulation of the argument userName/firstName/lastName/userEmail with the input "><ScRiPt>confirm(document.domain)</ScRiPt>h0la leads to cross site scripting. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249135. | |||||
| CVE-2023-31298 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-01-04 | N/A | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to execute arbitrary code and obtain sensitive information via the User ID field when creating a new system user. | |||||
| CVE-2023-31301 | 1 Sesami | 1 Cash Point \& Transport Optimizer | 2024-01-04 | N/A | 6.1 MEDIUM |
| Stored Cross Site Scripting (XSS) Vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to execute arbitrary code and obtain sensitive information via the Username field of the login form and application log. | |||||
| CVE-2023-7133 | 1 Ruoyi | 1 Ruoyi | 2024-01-04 | N/A | 6.1 MEDIUM |
| A vulnerability was found in y_project RuoYi 4.7.8. It has been declared as problematic. This vulnerability affects unknown code of the file /login of the component HTTP POST Request Handler. The manipulation of the argument rememberMe with the input falsen3f0m<script>alert(1)</script>p86o0 leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249136. | |||||
| CVE-2023-4672 | 1 Talentyazilim | 1 Ecop | 2024-01-04 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Talent Software ECOP allows Reflected XSS.This issue affects ECOP: before 32255. | |||||
| CVE-2023-50874 | 1 Connekthq | 1 Ajax Load More | 2024-01-04 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Darren Cooney WordPress Infinite Scroll – Ajax Load More allows Stored XSS.This issue affects WordPress Infinite Scroll – Ajax Load More: from n/a through 6.1.0.1. | |||||
| CVE-2023-51501 | 1 Undsgn | 1 Uncode | 2024-01-04 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Undsgn Uncode - Creative & WooCommerce WordPress Theme allows Reflected XSS.This issue affects Uncode - Creative & WooCommerce WordPress Theme: from n/a through 2.8.6. | |||||
| CVE-2023-50836 | 1 Ibericode | 1 Html Forms | 2024-01-04 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ibericode HTML Forms allows Stored XSS.This issue affects HTML Forms: from n/a through 1.3.28. | |||||
| CVE-2023-50859 | 1 Themeum | 1 Wp Crowdfunding | 2024-01-04 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum WP Crowdfunding allows Stored XSS.This issue affects WP Crowdfunding: from n/a through 2.1.6. | |||||
| CVE-2023-50860 | 1 Tms-outsource | 1 Amelia | 2024-01-04 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TMS Booking for Appointments and Events Calendar – Amelia allows Stored XSS.This issue affects Booking for Appointments and Events Calendar – Amelia: from n/a through 1.0.85. | |||||
| CVE-2023-48115 | 1 Smartertools | 1 Smartermail | 2024-01-04 | N/A | 5.4 MEDIUM |
| SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request. | |||||
| CVE-2023-48116 | 1 Smartertools | 1 Smartermail | 2024-01-04 | N/A | 5.4 MEDIUM |
| SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appointment. | |||||
| CVE-2023-48114 | 1 Smartertools | 1 Smartermail | 2024-01-04 | N/A | 5.4 MEDIUM |
| SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG document. This occurs because the application tries to allow youtube.com URLs, but actually allows youtube.com followed by an @ character and an attacker-controlled domain name. | |||||
| CVE-2023-7124 | 1 Fabianros | 1 E-commerce Site | 2024-01-04 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in code-projects E-Commerce Site 1.0. Affected is an unknown function of the file search.php. The manipulation of the argument keyword with the input <video/src=x onerror=alert(document.cookie)> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249096. | |||||
| CVE-2023-49469 | 1 Shaarli Project | 1 Shaarli | 2024-01-04 | N/A | 6.1 MEDIUM |
| Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, allows remote attackers to execute arbitrary code via search tag function. | |||||
| CVE-2023-45737 | 1 Weseek | 1 Growi | 2024-01-04 | N/A | 5.4 MEDIUM |
| Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product. | |||||
| CVE-2023-45740 | 1 Weseek | 1 Growi | 2024-01-04 | N/A | 5.4 MEDIUM |
| Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product. | |||||
| CVE-2023-42436 | 1 Weseek | 1 Growi | 2024-01-04 | N/A | 5.4 MEDIUM |
| Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product. | |||||
| CVE-2023-5988 | 1 Uyumsoft | 1 Lioxerp | 2024-01-04 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uyumsoft Information System and Technologies LioXERP allows Reflected XSS.This issue affects LioXERP: before v.146. | |||||
| CVE-2023-5989 | 1 Uyumsoft | 1 Lioxerp | 2024-01-04 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uyumsoft Information System and Technologies LioXERP allows Stored XSS.This issue affects LioXERP: before v.146. | |||||
| CVE-2023-6268 | 1 Json-content-importer | 1 Json Content Importer | 2024-01-04 | N/A | 6.1 MEDIUM |
| The JSON Content Importer WordPress plugin before 1.5.4 does not sanitise and escape the tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2023-49117 | 1 Alfasado | 1 Powercms | 2024-01-04 | N/A | 5.4 MEDIUM |
| PowerCMS (6 Series, 5 Series, and 4 Series) contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user's web browser. Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability. | |||||
| CVE-2020-1580 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2024-01-04 | 3.5 LOW | 5.4 MEDIUM |
| <p>A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.</p> <p>The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.</p> <p>The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests.</p> | |||||
| CVE-2020-1591 | 1 Microsoft | 1 Dynamics 365 | 2024-01-04 | 3.5 LOW | 5.4 MEDIUM |
| <p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics server.</p> <p>The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current authenticated user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions within Dynamics Server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.</p> <p>The security update addresses the vulnerability by helping to ensure that Dynamics Server properly sanitizes web requests.</p> | |||||
| CVE-2020-1573 | 1 Microsoft | 4 Sharepoint Designer, Sharepoint Enterprise Server, Sharepoint Foundation and 1 more | 2024-01-04 | 3.5 LOW | 5.5 MEDIUM |
| <p>A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server.</p> <p>The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.</p> <p>The security update addresses the vulnerability by helping to ensure that SharePoint Server properly sanitizes web requests.</p> | |||||
| CVE-2023-38826 | 1 Follettlearning | 1 Solutions Destiny | 2024-01-03 | N/A | 6.1 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability exists in Follet Learning Solutions Destiny through 20.0_1U. via the handlewpesearchform.do. searchString. | |||||
| CVE-2023-27150 | 1 Opencrx | 1 Opencrx | 2024-01-03 | N/A | 5.4 MEDIUM |
| openCRX 5.2.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name field after creation of a Tracker in Manage Activity. | |||||
| CVE-2022-41762 | 1 Nokia | 1 Network Functions Manager For Transport | 2024-01-03 | N/A | 6.1 MEDIUM |
| An issue was discovered in NOKIA NFM-T R19.9. Multiple Reflected XSS vulnerabilities exist in the Network Element Manager via any parameter to log.pl, the bench or pid parameter to top.pl, or the id parameter to easy1350.pl. | |||||