Total
28666 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8872 | 1 Bizswoop | 1 Store Hours For Woocommerce | 2024-10-01 | N/A | 6.1 MEDIUM |
| The Store Hours for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.3.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-8861 | 1 Metagauss | 1 Profilegrid | 2024-10-01 | N/A | 5.4 MEDIUM |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.9.3.2 due to incorrect use of the wp_kses_allowed_html function, which allows the 'onclick' attribute for certain HTML elements without sufficient restriction or context validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-9299 | 1 Oretnom23 | 1 Railway Reservation System | 2024-10-01 | 4.0 MEDIUM | 5.4 MEDIUM |
| A vulnerability classified as problematic has been found in SourceCodester Online Railway Reservation System 1.0. This affects an unknown part of the file /?page=reserve. The manipulation of the argument First Name/Middle Name/Last Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-9300 | 1 Oretnom23 | 1 Railway Reservation System | 2024-10-01 | 5.0 MEDIUM | 6.1 MEDIUM |
| A vulnerability classified as problematic was found in SourceCodester Online Railway Reservation System 1.0. This vulnerability affects unknown code of the file contact_us.php of the component Message Us Form. The manipulation of the argument fullname/email/message leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-9320 | 1 Rems | 1 Online Timesheet App | 2024-10-01 | 4.0 MEDIUM | 5.4 MEDIUM |
| A vulnerability has been found in SourceCodester Online Timesheet App 1.0 and classified as problematic. This vulnerability affects unknown code of the file /endpoint/add-timesheet.php of the component Add Timesheet Form. The manipulation of the argument day/task leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-9323 | 1 Mayurik | 1 Free And Open Source Inventory Management System | 2024-10-01 | 4.0 MEDIUM | 5.4 MEDIUM |
| A vulnerability was found in SourceCodester Inventory Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /app/action/add_staff.php. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2023-4564 | 1 Capensis | 1 Canopsis | 2024-10-01 | N/A | 4.8 MEDIUM |
| This vulnerability could allow an attacker to store a malicious JavaScript payload in the broadcast message parameter within the admin panel. | |||||
| CVE-2023-3196 | 1 Capensis | 1 Canopsis | 2024-10-01 | N/A | 4.8 MEDIUM |
| This vulnerability could allow an attacker to store a malicious JavaScript payload in the login footer and login page description parameters within the administration panel. | |||||
| CVE-2024-41725 | 1 Doverfuelingsolutions | 4 Progauge Maglink Lx4 Console, Progauge Maglink Lx4 Console Firmware, Progauge Maglink Lx Console and 1 more | 2024-09-30 | N/A | 6.1 MEDIUM |
| ProGauge MAGLINK LX CONSOLE does not have sufficient filtering on input fields that are used to render pages which may allow cross site scripting. | |||||
| CVE-2024-43025 | 1 Rws | 1 Multitrans | 2024-09-30 | N/A | 6.1 MEDIUM |
| An HTML injection vulnerability in RWS MultiTrans v7.0.23324.2 and earlier allows attackers to alter the HTML-layout and possibly execute a phishing attack via a crafted payload injected into a sent e-mail. | |||||
| CVE-2024-8942 | 1 Scriptcase | 1 Scriptcase | 2024-09-30 | N/A | 8.2 HIGH |
| Vulnerability in Scriptcase version 9.4.019 that consists of a Cross-Site Scripting (XSS), due to the lack of input validation, affecting the “id_form_msg_title” parameter, among others. This vulnerability could allow a remote user to send a specially crafted URL to a victim and retrieve their credentials. | |||||
| CVE-2024-9148 | 1 Flowiseai | 2 Embed, Flowise | 2024-09-30 | N/A | 6.1 MEDIUM |
| Flowise < 2.1.1 suffers from a Stored Cross-Site vulnerability due to a lack of input sanitization in Flowise Chat Embed < 2.0.0. | |||||
| CVE-2023-3042 | 1 Dotcms | 1 Dotcms | 2024-09-30 | N/A | 6.1 MEDIUM |
| In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls. An example affected URL is https://demo.dotcms.com//html/portlet/ext/files/edit_text_inc.jsp , which should return a 404 response but didn't. The oversight in the default invalid URL character list can be viewed at the provided GitHub link https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/NormalizationFilter.java#L37 . To mitigate, users can block URLs with double slashes at firewalls or utilize dotCMS config variables. Specifically, they can use the DOT_URI_NORMALIZATION_FORBIDDEN_STRINGS environmental variable to add // to the list of invalid strings. Additionally, the DOT_URI_NORMALIZATION_FORBIDDEN_REGEX variable offers more detailed control, for instance, to block //html.* URLs. Fix Version:23.06+, LTS 22.03.7+, LTS 23.01.4+ | |||||
| CVE-2024-7398 | 1 Concretecms | 1 Concrete Cms | 2024-09-30 | N/A | 5.4 MEDIUM |
| Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N . Thank you, Yusuke Uchida for reporting. | |||||
| CVE-2024-8291 | 1 Concretecms | 1 Concrete Cms | 2024-09-30 | N/A | 4.8 MEDIUM |
| Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks, Alexey Solovyev for reporting. | |||||
| CVE-2024-9075 | 1 Stirlingpdf | 1 Stirling Pdf | 2024-09-30 | 2.1 LOW | 5.4 MEDIUM |
| A vulnerability was found in Stirling-Tools Stirling-PDF up to 0.28.3. It has been declared as problematic. This vulnerability affects unknown code of the component Markdown-to-PDF. The manipulation leads to cross site scripting. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 0.29.0 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains that "this functionality was removed in 0.29.0 already" and "we plan to re-add at later date with issue resolved". | |||||
| CVE-2024-8919 | 1 Wpdeveloperr | 1 Confetti Fall Animation | 2024-09-30 | N/A | 5.4 MEDIUM |
| The Confetti Fall Animation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'confetti-fall-animation' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-8917 | 1 Anwp | 1 Football Leagues | 2024-09-30 | N/A | 5.4 MEDIUM |
| The AnWP Football Leagues plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.16.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2024-8103 | 1 Gcsdesign | 1 Wp Category Dropdown | 2024-09-30 | N/A | 5.4 MEDIUM |
| The WP Category Dropdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' parameter in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-31199 | 1 Proges | 2 Sensor Net Connect Firmware V2, Sensor Net Connect V2 | 2024-09-30 | N/A | 6.1 MEDIUM |
| A “CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')” allows malicious users to permanently inject arbitrary Javascript code. | |||||