Total
33149 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-45962 | 2024-10-04 | N/A | 4.7 MEDIUM | ||
| October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted JavaScript to the target. | |||||
| CVE-2024-47612 | 2024-10-04 | N/A | 3.5 LOW | ||
| DataDump is a MediaWiki extension that provides dumps of wikis. Several interface messages are unescaped (more specifically, (datadump-table-column-queued), (datadump-table-column-in-progress), (datadump-table-column-completed), (datadump-table-column-failed)). If these messages are edited (which requires the (editinterface) right by default), anyone who can view Special:DataDump (which requires the (view-dump) right by default) can be XSSed. This vulnerability is fixed with 601688ee8e8808a23b102fa305b178f27cbd226d. | |||||
| CVE-2024-45964 | 2024-10-04 | N/A | 4.8 MEDIUM | ||
| Zenario 9.7.61188 is vulnerable to Cross Site Scripting (XSS) in the Image library via the "Organizer tags" field. | |||||
| CVE-2024-45965 | 2024-10-04 | N/A | 4.7 MEDIUM | ||
| Contao 5.4.1 allows an authenticated admin account to upload a SVG file containing malicious javascript code into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target. | |||||
| CVE-2024-45960 | 2024-10-04 | N/A | 4.8 MEDIUM | ||
| Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting (XSS) attack. | |||||
| CVE-2024-33210 | 2024-10-04 | N/A | 5.4 MEDIUM | ||
| A cross-site scripting (XSS) vulnerability has been identified in Flatpress 1.3. This vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users. | |||||
| CVE-2024-9174 | 2024-10-04 | N/A | N/A | ||
| Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI | |||||
| CVE-2024-46082 | 2024-10-04 | N/A | 5.4 MEDIUM | ||
| Scriptcase v.9.10.023 and before is vulnerable to Cross Site Scripting (XSS) in nm_cor.php via the form and field parameters. | |||||
| CVE-2024-9279 | 1 Funnyzpc | 1 Mee-admin | 2024-10-04 | 3.3 LOW | 4.8 MEDIUM |
| A vulnerability, which was classified as problematic, was found in funnyzpc Mee-Admin up to 1.6. This affects an unknown part of the file /mee/index of the component User Center. The manipulation of the argument User Nickname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-43986 | 1 Mage-people | 1 Ecab Taxi Booking Manager | 2024-10-04 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Stored XSS.This issue affects Taxi Booking Manager for WooCommerce: through 1.0.9. | |||||
| CVE-2024-3944 | 1 Delower | 1 Wp To Do | 2024-10-04 | N/A | 4.8 MEDIUM |
| The WP To Do plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2024-8536 | 1 Dotcamp | 1 Ultimate Blocks | 2024-10-03 | N/A | 5.4 MEDIUM |
| The Ultimate Blocks WordPress plugin before 3.2.2 does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2024-20475 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2024-10-03 | N/A | 5.4 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Catalyst SD-WAN Manager, formerly Cisco SD-WAN vManage, could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious data into a specific data field in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface. | |||||
| CVE-2024-8788 | 1 Wpfactory | 1 Eu\/uk Vat Manager For Woocommerce | 2024-10-03 | N/A | 6.1 MEDIUM |
| The EU/UK VAT Manager for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.12.11. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-9177 | 1 Themedy | 1 Toolbox | 2024-10-03 | N/A | 5.4 MEDIUM |
| The Themedy Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themedy_col, themedy_social_link, themedy_alertbox, and themedy_pullleft shortcodes in all versions up to, and including, 1.0.14, and up to, and including 1.0.15 for the plugin's themedy_button shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-45836 | 1 Planex | 10 Cs-qr10, Cs-qr10 Firmware, Cs-qr20 and 7 more | 2024-10-03 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability exists in the web management page of PLANEX COMMUNICATIONS network cameras. If a logged-in user accesses a specific file, an arbitrary script may be executed on the web browser of the user. | |||||
| CVE-2024-9068 | 1 Themexclub | 1 Oneelements | 2024-10-02 | N/A | 5.4 MEDIUM |
| The OneElements – Best Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2024-9028 | 1 Devfarm | 1 Wp Gpx Maps | 2024-10-02 | N/A | 5.4 MEDIUM |
| The WP GPX Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sgpx' shortcode in all versions up to, and including, 1.7.08 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-9027 | 1 Wpzoom | 1 Wpzoom Shortcodes | 2024-10-02 | N/A | 5.4 MEDIUM |
| The WPZOOM Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'box' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-9069 | 1 Graphicsly | 1 Graphicsly | 2024-10-02 | N/A | 5.4 MEDIUM |
| The Graphicsly – The ultimate graphics plugin for WordPress website builder ( Gutenberg, Elementor, Beaver Builder, WPBakery ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||