Total
37750 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23519 | 2 Debian, Rubyonrails | 2 Debian Linux, Rails Html Sanitizers | 2025-02-13 | N/A | 7.2 HIGH |
| rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways: allow both "math" and "style" elements, or allow both "svg" and "style" elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version 1.4.4. All users overriding the allowed tags to include "math" or "svg" and "style" should either upgrade or use the following workaround immediately: Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags. | |||||
| CVE-2020-22533 | 1 Easycorp | 1 Zentao | 2025-02-13 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability found in Zentao allows a remote attacker to execute arbitrary code via the lang parameter | |||||
| CVE-2020-21487 | 1 Netgate | 2 Pfsense, Pfsense Acme Package | 2025-02-13 | N/A | 9.6 CRITICAL |
| Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php. | |||||
| CVE-2020-19277 | 1 Mm-wiki Project | 1 Mm-wiki | 2025-02-13 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via javascript code in the markdown editor. | |||||
| CVE-2024-26143 | 1 Rubyonrails | 1 Rails | 2025-02-13 | N/A | 6.1 MEDIUM |
| Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1. | |||||
| CVE-2024-27103 | 1 Pinterest | 1 Querybook | 2025-02-13 | N/A | 6.1 MEDIUM |
| Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. While the input to dangerouslySetInnerHTML is not sanitized for the data inside of queries which leads to an XSS vulnerability. During the "query auto-suggestion" the name of the suggested tables are set with innerHTML which leads to the XSS vulnerability. A patch to rectify this issue has been introduced in Querybook version 3.31.2. | |||||
| CVE-2024-29137 | 1 Themefic | 1 Tourfic | 2025-02-13 | N/A | 7.1 HIGH |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Tourfic allows Reflected XSS.This issue affects Tourfic: from n/a through 2.11.7. | |||||
| CVE-2024-13830 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-02-13 | N/A | 6.1 MEDIUM |
| Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required. | |||||
| CVE-2024-2738 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2025-02-13 | N/A | 6.1 MEDIUM |
| The Permalink Manager Lite and Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the āsā parameter in multiple instances in all versions up to, and including, 2.4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-0604 | 1 Fooplugins | 1 Foogallery | 2025-02-13 | N/A | 4.4 MEDIUM |
| The Best WordPress Gallery Plugin ā FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2024-1447 | 1 Athemes | 1 Sydney Toolbox | 2025-02-13 | N/A | 6.4 MEDIUM |
| The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aThemes Slider button element in all versions up to, and including, 1.25 due to insufficient input sanitization and output escaping on user supplied link. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1697 | 1 Themelocation | 1 Custom Woocommerce Checkout Fields Editor | 2025-02-13 | N/A | 6.4 MEDIUM |
| The Custom WooCommerce Checkout Fields Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the save_wcfe_options function in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-2202 | 1 Siteorigin | 1 Page Builder | 2025-02-13 | N/A | 6.4 MEDIUM |
| The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the legacy Image widget in all versions up to, and including, 2.29.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1049 | 1 Godaddy | 1 Coblocks | 2025-02-13 | N/A | 6.4 MEDIUM |
| The Page Builder Gutenberg Blocks ā CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Icon Widget's in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping on the link value. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-2936 | 1 Athemes | 1 Sydney Toolbox | 2025-02-13 | N/A | 6.4 MEDIUM |
| The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id attribute of widgets in all versions up to, and including, 1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-26777 | 1 Uptime Kuma Project | 1 Uptime Kuma | 2025-02-13 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability found in : louislam Uptime Kuma v.1.19.6 and before allows a remote attacker to execute arbitrary commands via the description, title, footer, and incident creation parameter of the status_page.js endpoint. | |||||
| CVE-2023-26776 | 1 Monitorr | 1 Monitorr | 2025-02-13 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability found in Monitorr v.1.7.6 allows a remote attacker to execute arbitrary code via the title parameter of the post_receiver-services.php file. | |||||
| CVE-2023-26750 | 1 Yiiframework | 1 Yii | 2025-02-13 | N/A | 9.8 CRITICAL |
| ** DISPUTED ** SQL injection vulnerability found in Yii Framework Yii 2 Framework before v.2.0.47 allows the a remote attacker to execute arbitrary code via the runAction function. NOTE: the software maintainer's position is that the vulnerability is in third-party code, not in the framework. | |||||
| CVE-2023-0835 | 1 Markdown-pdf Project | 1 Markdown-pdf | 2025-02-13 | N/A | 8.2 HIGH |
| markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user. | |||||
| CVE-2023-0738 | 1 Orangescrum | 1 Orangescrum | 2025-02-13 | N/A | 6.1 MEDIUM |
| OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html. | |||||