Total
28620 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-41708 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-10-17 | N/A | 5.4 MEDIUM |
| References to the "app loader" functionality could contain redirects to unexpected locations. Attackers could forge app references that bypass existing safeguards to inject malicious script code. Please deploy the provided updates and patch releases. References to apps are now controlled more strict to avoid relative references. No publicly available exploits are known. | |||||
| CVE-2023-41703 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-10-17 | N/A | 6.1 MEDIUM |
| User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are now filtered to avoid potentially malicious content. No publicly available exploits are known. | |||||
| CVE-2023-28800 | 1 Zscaler | 1 Client Connector | 2024-10-17 | N/A | 6.1 MEDIUM |
| When using local accounts for administration, the redirect url parameter was not encoded correctly, allowing for an XSS attack providing admin login. | |||||
| CVE-2024-1084 | 1 Github | 1 Enterprise Server | 2024-10-17 | N/A | 6.1 MEDIUM |
| Cross-site Scripting in the tag name pattern field in the tag protections UI in GitHub Enterprise Server allows a malicious website that requires user interaction and social engineering to make changes to a user account via CSP bypass with created CSRF tokens. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in all versions of 3.11.5, 3.10.7, 3.9.10, and 3.8.15. This vulnerability was reported via the GitHub Bug Bounty program. | |||||
| CVE-2024-23786 | 1 Sharp | 4 Jh-rv11, Jh-rv11 Firmware, Jh-rvb1 and 1 more | 2024-10-17 | N/A | 9.3 CRITICAL |
| Cross-site scripting vulnerability in Energy Management Controller with Cloud Services JH-RVB1 /JH-RV11 Ver.B0.1.9.1 and earlier allows a network-adjacent unauthenticated attacker to execute an arbitrary script on the web browser of the user who is accessing the management page of the affected product. | |||||
| CVE-2024-9807 | 1 Classroombookings | 1 Classroombookings | 2024-10-17 | 3.3 LOW | 4.8 MEDIUM |
| A vulnerability was found in Craig Rodway Classroombookings 2.8.7 and classified as problematic. This issue affects some unknown processing of the file /sessions of the component Session Page. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.8.8 is able to address this issue. It is recommended to upgrade the affected component. The project maintainer was contacted early about the disclosure. He responded very quickly, friendly, and professional. | |||||
| CVE-2024-9806 | 1 Classroombookings | 1 Classroombookings | 2024-10-17 | 4.0 MEDIUM | 4.8 MEDIUM |
| A vulnerability has been found in Craig Rodway Classroombookings up to 2.8.6 and classified as problematic. This vulnerability affects unknown code of the file /rooms/fields of the component Room Page. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.8.7 is able to address this issue. It is recommended to upgrade the affected component. The project maintainer was contacted early about the disclosure. He responded very quickly, friendly, and professional. | |||||
| CVE-2023-48432 | 1 Zimbra | 1 Collaboration | 2024-10-17 | N/A | 6.1 MEDIUM |
| An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15, 9.0, and 10.0. XSS, with resultant session stealing, can occur via JavaScript code in a link (for a webmail redirection endpoint) within en email message, e.g., if a victim clicks on that link within Zimbra webmail. | |||||
| CVE-2023-50808 | 1 Zimbra | 1 Collaboration | 2024-10-17 | N/A | 6.1 MEDIUM |
| Zimbra Collaboration before Kepler 9.0.0 Patch 38 GA allows DOM-based JavaScript injection in the Modern UI. | |||||
| CVE-2024-9799 | 1 Rems | 1 Profile Registration Without Reload\/refresh | 2024-10-17 | 4.0 MEDIUM | 6.1 MEDIUM |
| A vulnerability has been found in SourceCodester Profile Registration without Reload Refresh 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file add.php. The manipulation of the argument email_address/address/company_name/job_title/jobDescriptionparameter leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-45060 | 1 Phpoffice | 1 Phpspreadsheet | 2024-10-17 | N/A | 6.1 MEDIUM |
| PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. One of the sample scripts in PhpSpreadsheet is susceptible to a cross-site scripting (XSS) vulnerability due to improper handling of input where a number is expected leading to formula injection. The code in in `45_Quadratic_equation_solver.php` concatenates the user supplied parameters directly into spreadsheet formulas. This allows an attacker to take control over the formula and output unsanitized data into the page, resulting in JavaScript execution. This issue has been addressed in release versions 1.29.2, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2018-8910 | 1 Synology | 1 Drive Server | 2024-10-17 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Attachment Preview in Synology Drive before 1.0.1-10253 allows remote authenticated users to inject arbitrary web script or HTML via malicious attachments. | |||||
| CVE-2018-8921 | 1 Synology | 1 Drive Server | 2024-10-17 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in File Sharing Notify Toast in Synology Drive before 1.0.2-10275 allows remote authenticated users to inject arbitrary web script or HTML via the malicious file name. | |||||
| CVE-2024-27136 | 1 Apache | 1 Jspwiki | 2024-10-17 | N/A | 6.1 MEDIUM |
| XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later. | |||||
| CVE-2024-9548 | 1 Wp-slimstat | 1 Slimstat Analytics | 2024-10-17 | N/A | 6.1 MEDIUM |
| The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the resource parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization and output escaping when logging visitor requests. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-45740 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-17 | N/A | 5.4 MEDIUM |
| In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through Scheduled Views that could result in execution of unauthorized JavaScript code in the browser of a user. | |||||
| CVE-2024-45741 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-10-17 | N/A | 5.4 MEDIUM |
| In Splunk Enterprise versions below 9.2.3 and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.108 and 9.1.2312.205, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a malicious payload through a custom configuration file that the "api.uri" parameter from the "/manager/search/apps/local" endpoint in Splunk Web calls. This could result in execution of unauthorized JavaScript code in the browser of a user. | |||||
| CVE-2020-28129 | 1 Adrianmercurio | 1 Gym Management System | 2024-10-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Stored Cross-site scripting (XSS) vulnerability in SourceCodester Gym Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php?page=packages via vulnerable fields 'Package Name' and 'Description'. | |||||
| CVE-2024-9906 | 1 Oretnom23 | 1 Online Eyewear Shop | 2024-10-16 | 4.0 MEDIUM | 5.4 MEDIUM |
| A vulnerability, which was classified as problematic, was found in SourceCodester Online Eyewear Shop 1.0. Affected is an unknown function of the file /admin/?page=inventory/view_inventory&id=2. The manipulation of the argument Code leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-43481 | 1 Microsoft | 1 Power Bi Report Server | 2024-10-16 | N/A | 8.8 HIGH |
| Power BI Report Server Spoofing Vulnerability | |||||