Total
28757 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-48094 | 1 Cesium | 1 Cesiumjs | 2024-08-02 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in CesiumJS v1.111 allows attackers to execute arbitrary code in the context of the victim's browser via sending a crafted payload to /container_files/public_html/doc/index.html. NOTE: the vendor’s position is that Apps/Sandcastle/standalone.html is part of the CesiumGS/cesium GitHub repository, but is demo code that is not part of the CesiumJS JavaScript library product. | |||||
| CVE-2023-46858 | 1 Moodle | 1 Moodle | 2024-08-02 | N/A | 5.4 MEDIUM |
| Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but students can not." | |||||
| CVE-2023-35006 | 1 Ibm | 1 Security Qradar Edr | 2024-08-02 | N/A | 5.4 MEDIUM |
| IBM Security QRadar EDR 3.12 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 297165. | |||||
| CVE-2024-29474 | 2024-08-02 | N/A | 5.4 MEDIUM | ||
| OneBlog v2.3.4 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the User Management module. | |||||
| CVE-2023-44766 | 1 Concretecms | 1 Concrete Cms | 2024-08-02 | N/A | 4.8 MEDIUM |
| A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. NOTE: the vendor disputes this because this SEO-related header change can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. | |||||
| CVE-2023-44760 | 1 Concretecms | 1 Concrete Cms | 2024-08-02 | N/A | 4.8 MEDIUM |
| Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. Also, the exploitation method claimed by "sromanhu" does not provide any access to a Concrete CMS session, because the Concrete CMS session cookie is configured as HttpOnly. | |||||
| CVE-2024-40873 | 1 Absolute | 1 Secure Access | 2024-08-02 | N/A | 3.4 LOW |
| There is a cross-site scripting vulnerability in the Secure Access administrative console of Absolute Secure Access prior to version 13.07. Attackers with system administrator permissions can interfere with another system administrator’s use of the publishing UI when the administrators are editing the same management object. The scope is unchanged, there is no loss of confidentiality. Impact to system availability is none, impact to system integrity is high. | |||||
| CVE-2024-28772 | 1 Ibm | 3 Security Directory Integrator, Security Directory Server, Security Verify Access | 2024-08-02 | N/A | 5.4 MEDIUM |
| IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 285645. | |||||
| CVE-2024-39126 | 1 Roundup-tracker | 1 Roundup | 2024-08-02 | N/A | 5.4 MEDIUM |
| Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents. | |||||
| CVE-2024-39125 | 1 Roundup-tracker | 1 Roundup | 2024-08-02 | N/A | 5.4 MEDIUM |
| Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header. | |||||
| CVE-2024-25344 | 2024-08-02 | N/A | 6.1 MEDIUM | ||
| Cross Site Scripting vulnerability in ITFlow.org before commit v.432488eca3998c5be6b6b9e8f8ba01f54bc12378 allows a remtoe attacker to execute arbitrary code and obtain sensitive information via the settings.php, settings+company.php, settings_defaults.php,settings_integrations.php, settings_invoice.php, settings_localization.php, settings_mail.php components. | |||||
| CVE-2023-38582 | 1 Socomec | 2 Modulys Gp, Modulys Gp Firmware | 2024-08-02 | N/A | 5.4 MEDIUM |
| Persistent cross-site scripting (XSS) in the web application of MOD3GP-SY-120K allows an authenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the field MAIL_RCV. When a legitimate user attempts to access to the vulnerable page of the web application, the XSS payload will be executed. | |||||
| CVE-2023-38255 | 1 Socomec | 2 Modulys Gp, Modulys Gp Firmware | 2024-08-02 | N/A | 6.1 MEDIUM |
| A potential attacker with or without (cookie theft) access to the device would be able to include malicious code (XSS) when uploading new device configuration that could affect the intended function of the device. | |||||
| CVE-2024-29833 | 2024-08-02 | N/A | 5.4 MEDIUM | ||
| The image upload component allows SVG files and the regular expression used to remove script tags can be bypassed by using a Cross Site Scripting payload which does not match the regular expression; one example of this is the inclusion of whitespace within the script tag. An attacker must target an authenticated user with permissions to access this feature, however once uploaded the payload is also accessible to unauthenticated users. | |||||
| CVE-2024-29832 | 2024-08-02 | N/A | 6.1 MEDIUM | ||
| The current_url parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the current_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. No authentication is required to exploit this issue. Note that other parameters within a AJAX call, such as image_id, must be valid for this vulnerability to be successfully exploited. | |||||
| CVE-2024-29810 | 2024-08-02 | N/A | 5.4 MEDIUM | ||
| The thumb_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumb_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. | |||||
| CVE-2024-29809 | 2024-08-02 | N/A | 5.4 MEDIUM | ||
| The image_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. | |||||
| CVE-2024-29808 | 2024-08-02 | N/A | 5.4 MEDIUM | ||
| The image_id parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_id parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. | |||||
| CVE-2024-2122 | 1 Fooplugins | 1 Foogallery | 2024-08-02 | N/A | 5.4 MEDIUM |
| The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via album gallery custom URLs in all versions up to, and including, 2.4.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-28635 | 2024-08-02 | N/A | 6.1 MEDIUM | ||
| Cross Site Scripting (XSS) vulnerability in SurveyJS Survey Creator v.1.9.132 and before, allows attackers to execute arbitrary code and obtain sensitive information via the title parameter in form. | |||||