Total
28737 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-43407 | 1 Ckeditor | 1 Ckeditor | 2024-08-23 | N/A | 6.1 MEDIUM |
| CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A potential vulnerability has been discovered in CKEditor 4 Code Snippet GeSHi plugin. The vulnerability allowed a reflected XSS attack by exploiting a flaw in the GeSHi syntax highlighter library hosted by the victim. The GeSHi library was included as a vendor dependency in CKEditor 4 source files. In a specific scenario, an attacker could craft a malicious script that could be executed by sending a request to the GeSHi library hosted on a PHP web server. The GeSHi library is no longer actively maintained. Due to the lack of ongoing support and updates, potential security vulnerabilities have been identified with its continued use. To mitigate these risks and enhance the overall security of the CKEditor 4, we have decided to completely remove the GeSHi library as a dependency. This change aims to maintain a secure environment and reduce the risk of any security incidents related to outdated or unsupported software. The fix is be available in version 4.25.0-lts. | |||||
| CVE-2023-6452 | 2024-08-23 | N/A | 9.6 CRITICAL | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Web Security (Transaction Viewer) allows Stored XSS. The Forcepoint Web Security portal allows administrators to generate detailed reports on user requests made through the Web proxy. It has been determined that the "user agent" field in the Transaction Viewer is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability, which can be exploited by any user who can route traffic through the Forcepoint Web proxy. This vulnerability enables unauthorized attackers to execute JavaScript within the browser context of a Forcepoint administrator, thereby allowing them to perform actions on the administrator's behalf. Such a breach could lead to unauthorized access or modifications, posing a significant security risk. This issue affects Web Security: before 8.5.6. | |||||
| CVE-2024-42771 | 2024-08-23 | N/A | 4.8 MEDIUM | ||
| A Stored Cross Site Scripting (XSS) vulnerability was found in " /admin/edit_room_controller.php" of the Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via "room_name" parameter. | |||||
| CVE-2024-42761 | 2024-08-23 | N/A | 6.1 MEDIUM | ||
| A Stored Cross Site Scripting (XSS) vulnerability was found in "/admin_schedule.php" in Kashipara Bus Ticket Reservation System v1.0, which allows remote attackers to execute arbitrary code via scheduleDurationPHP parameter. | |||||
| CVE-2024-42769 | 2024-08-23 | N/A | 6.1 MEDIUM | ||
| A Reflected Cross Site Scripting (XSS) vulnerability was found in "/core/signup_user.php " of Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via "user_fname" and "user_lname" parameters. | |||||
| CVE-2024-42762 | 2024-08-23 | N/A | 5.4 MEDIUM | ||
| A Stored Cross Site Scripting (XSS) vulnerability was found in "/history.php" in Kashipara Bus Ticket Reservation System v1.0, which allows remote attackers to execute arbitrary code via the Name, Phone, and Email parameter fields. | |||||
| CVE-2024-42770 | 2024-08-23 | N/A | 4.7 MEDIUM | ||
| A Stored Cross Site Scripting (XSS) vulnerability was found in "/core/signup_user.php" of Kashipara Hotel Management System v1.0, which allows remote attackers to execute arbitrary code via the "user_email" parameter. | |||||
| CVE-2024-1891 | 1 Tenable | 1 Security Center | 2024-08-23 | N/A | 5.4 MEDIUM |
| A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page. | |||||
| CVE-2024-20443 | 1 Cisco | 1 Identity Services Engine | 2024-08-23 | N/A | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have at least a low-privileged account on an affected device. | |||||
| CVE-2024-20479 | 1 Cisco | 1 Identity Services Engine | 2024-08-23 | N/A | 4.8 MEDIUM |
| A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have Admin privileges on an affected device. | |||||
| CVE-2024-7127 | 1 Stackposts | 1 Social Marketing Tool | 2024-08-23 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation vulnerability in Stackposts Social Marketing Tool allows Cross-site Scripting (XSS) attack. By submitting the payload in the username during registration, it can be executed later in the application panel. This could lead to the unauthorised acquisition of information (e.g. cookies from a logged-in user). After multiple attempts to contact the vendor we did not receive any answer. Our team has confirmed the existence of this vulnerability. We suppose this issue affects Social Marketing Tool in all versions. | |||||
| CVE-2024-41676 | 1 Openmage | 1 Magento | 2024-08-23 | N/A | 4.8 MEDIUM |
| Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerability affects the design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt system configs.They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. The problem is patched with Version 20.10.1 or higher. | |||||
| CVE-2024-38507 | 1 Jetbrains | 1 Hub | 2024-08-23 | N/A | 5.4 MEDIUM |
| In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible | |||||
| CVE-2024-23111 | 1 Fortinet | 2 Fortios, Fortiproxy | 2024-08-23 | N/A | 4.8 MEDIUM |
| An improper neutralization of input during web page Generation ('Cross-site Scripting') vulnerability [CWE-79] in FortiOS version 7.4.3 and below, 7.2 all versions, 7.0 all versions and FortiProxy version 7.4.2 and below, 7.2 all versions, 7.0 all versions reboot page may allow a remote privileged attacker with super-admin access to execute JavaScript code via crafted HTTP GET requests. | |||||
| CVE-2024-36773 | 1 Monstra | 1 Monstra | 2024-08-22 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Themes parameter at index.php. | |||||
| CVE-2024-33103 | 2024-08-22 | N/A | 6.1 MEDIUM | ||
| An arbitrary file upload vulnerability in the Media Manager component of DokuWiki 2024-02-06a allows attackers to execute arbitrary code by uploading a crafted SVG file. NOTE: as noted in the 4267 issue reference, there is a position that exploitability can only occur with a misconfiguration of the product. | |||||
| CVE-2022-25038 | 2024-08-22 | N/A | 6.1 MEDIUM | ||
| wanEditor v4.7.11 was discovered to contain a cross-site scripting (XSS) vulnerability via the video upload function. | |||||
| CVE-2024-40347 | 1 Hyland | 1 Alfresco Content Services | 2024-08-22 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in Hyland Alfresco Platform 23.2.1-r96 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter htmlid. | |||||
| CVE-2024-41599 | 1 Ruoyi | 1 Ruoyi | 2024-08-22 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the file upload method | |||||
| CVE-2024-39457 | 1 Cybozu | 1 Garoon | 2024-08-22 | N/A | 5.4 MEDIUM |
| Cybozu Garoon 6.0.0 to 6.0.1 contains a cross-site scripting vulnerability in PDF preview. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user’s web browser. | |||||