Total
28666 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-43024 | 1 Rws | 1 Multitrans | 2024-09-29 | N/A | 6.1 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in RWS MultiTrans v7.0.23324.2 and earlier allow attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
| CVE-2021-27915 | 1 Acquia | 1 Mautic | 2024-09-29 | N/A | 9.0 CRITICAL |
| Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in user of Mautic with the appropriate permissions. This could lead to the user having elevated access to the system. | |||||
| CVE-2024-32034 | 1 Decidim | 1 Decidim | 2024-09-29 | N/A | 4.8 MEDIUM |
| decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`). | |||||
| CVE-2024-8054 | 1 Mm-breaking News Project | 1 Mm-breaking News | 2024-09-27 | N/A | 6.1 MEDIUM |
| The MM-Breaking News WordPress plugin through 0.7.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2024-8056 | 1 Mm-breaking News Project | 1 Mm-breaking News | 2024-09-27 | N/A | 6.1 MEDIUM |
| The MM-Breaking News WordPress plugin through 0.7.9 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | |||||
| CVE-2024-6493 | 1 Ninjateam | 1 Header Footer Custom Code | 2024-09-27 | N/A | 4.8 MEDIUM |
| The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-6617 | 1 Ninjateam | 1 Header Footer Custom Code | 2024-09-27 | N/A | 4.8 MEDIUM |
| The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-7133 | 1 Premio | 1 My Sticky Bar | 2024-09-27 | N/A | 4.8 MEDIUM |
| The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.3 does not validate and escape some of its settings before outputting them back in the page, which could allow users with a high role to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-7860 | 1 Outtolunchproductions | 1 Simple Headline Rotator | 2024-09-27 | N/A | 6.1 MEDIUM |
| The Simple Headline Rotator WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2024-7861 | 1 Michalaugustyniak | 1 Misiek Paypal | 2024-09-27 | N/A | 6.1 MEDIUM |
| The Misiek Paypal WordPress plugin through 1.1.20090324 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2023-34637 | 1 Isarnet | 1 Isarflow | 2024-09-27 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in IsarNet AG IsarFlow v5.23 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the dashboard title parameter in the IsarFlow Portal. | |||||
| CVE-2023-39208 | 1 Zoom | 1 Zoom | 2024-09-27 | N/A | 7.5 HIGH |
| Improper input validation in Zoom Desktop Client for Linux before version 5.15.10 may allow an unauthenticated user to conduct a denial of service via network access. | |||||
| CVE-2024-6850 | 1 Majeedraza | 1 Carousel Slider | 2024-09-27 | N/A | 4.8 MEDIUM |
| The Carousel Slider WordPress plugin before 2.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2024-5170 | 1 Wp-master | 1 Logo Manager For Enamad | 2024-09-27 | N/A | 4.8 MEDIUM |
| The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-7818 | 1 Michalaugustyniak | 1 Misiek Photo Album | 2024-09-27 | N/A | 6.1 MEDIUM |
| The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2024-7822 | 1 Gwycon | 1 Quick Code | 2024-09-27 | N/A | 6.1 MEDIUM |
| The Quick Code WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | |||||
| CVE-2024-7629 | 1 Kirstyburgoine | 1 Responsive Video | 2024-09-27 | N/A | 5.4 MEDIUM |
| The Responsive video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's video settings function in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires responsive videos to be enabled for posts. | |||||
| CVE-2024-8665 | 1 Yithemes | 1 Yith Custom Login | 2024-09-27 | N/A | 6.1 MEDIUM |
| The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-8543 | 1 Artembovkun | 1 Slider Comparison Image Before And After | 2024-09-27 | N/A | 5.4 MEDIUM |
| The Slider comparison image before and after plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [sciba] shortcode in all versions up to, and including, 0.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-47227 | 1 Iredmail | 1 Iredadmin | 2024-09-27 | N/A | 6.1 MEDIUM |
| iRedAdmin before 2.6 allows XSS, e.g., via order_name. | |||||