Vulnerabilities (CVE)

Filtered by CWE-79
Total 28595 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-45746 1 Sixapart 1 Movable Type 2024-10-29 N/A 5.4 MEDIUM
Cross-site scripting vulnerability in Movable Type series allows a remote authenticated attacker to inject an arbitrary script. Affected products/versions are as follows: Movable Type 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.5405 and earlier (Movable Type 7 Series), Movable Type Premium 1.58 and earlier, Movable Type Premium Advanced 1.58 and earlier, Movable Type Cloud Edition (Version 7) r.5405 and earlier, and Movable Type Premium Cloud Edition 1.58 and earlier.
CVE-2024-3987 1 Freshlightlab 1 Wp Mobile Menu 2024-10-29 N/A 5.4 MEDIUM
The WP Mobile Menu – The Mobile-Friendly Responsive Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alt text in all versions up to, and including, 2.8.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-10276 2024-10-29 4.0 MEDIUM 3.5 LOW
A vulnerability has been found in Telestream Sentry 6.0.9 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /?page=reports of the component Reports Page. The manipulation of the argument z leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-5612 1 Wpdeveloper 1 Essential Addons For Elementor 2024-10-29 N/A 5.4 MEDIUM
The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eael_lightbox_open_btn_icon’ parameter within the Lightbox & Modal widget in all versions up to, and including, 5.8.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-3288 1 Logichunt 1 Logo Slider 2024-10-29 N/A 5.4 MEDIUM
The Logo Slider WordPress plugin before 4.0.0 does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVE-2024-2402 2024-10-29 N/A 5.4 MEDIUM
The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-50575 1 Jetbrains 1 Youtrack 2024-10-29 N/A 6.1 MEDIUM
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API
CVE-2024-50576 1 Jetbrains 1 Youtrack 2024-10-29 N/A 5.4 MEDIUM
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest
CVE-2024-50577 1 Jetbrains 1 Youtrack 2024-10-29 N/A 5.4 MEDIUM
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings
CVE-2024-50578 1 Jetbrains 1 Youtrack 2024-10-29 N/A 5.4 MEDIUM
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page
CVE-2024-50579 1 Jetbrains 1 Youtrack 2024-10-29 N/A 6.1 MEDIUM
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
CVE-2024-50580 1 Jetbrains 1 Youtrack 2024-10-29 N/A 5.4 MEDIUM
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
CVE-2024-50581 1 Jetbrains 1 Youtrack 2024-10-29 N/A 5.4 MEDIUM
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag
CVE-2024-50582 1 Jetbrains 1 Youtrack 2024-10-29 N/A 5.4 MEDIUM
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
CVE-2024-49288 1 Villatheme 1 Woocommerce Email Template Customizer 2024-10-29 N/A 4.8 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in VillaTheme Email Template Customizer for WooCommerce allows Stored XSS.This issue affects Email Template Customizer for WooCommerce: from n/a through 1.2.5.
CVE-2024-10014 1 Tiandiyoyo 1 Flat Ui Button 2024-10-29 N/A 5.4 MEDIUM
The Flat UI Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's flatbtn shortcode in version 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2022-46088 2024-10-29 N/A 6.1 MEDIUM
Online Flight Booking Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the feedback form.
CVE-2022-36801 1 Atlassian 2 Jira Data Center, Jira Server 2024-10-29 N/A 6.1 MEDIUM
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to inject arbitrary HTML or JavaScript via a Reflected Cross-Site Scripting (RXSS) vulnerability in the TeamManagement.jspa endpoint. The affected versions are before version 8.20.8.
CVE-2024-47068 1 Rollupjs 1 Rollup 2024-10-29 N/A 6.1 MEDIUM
Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability.
CVE-2024-9589 1 Aftabhusain 1 Category And Taxonomy Meta Fields 2024-10-29 N/A 4.8 MEDIUM
The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_meta_name' parameter in the 'wpaft_option_page' function in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.