Total
134 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-39161 | 2024-06-04 | N/A | 5.4 MEDIUM | ||
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in WP Discussion Board Discussion Board allows Content Spoofing, Cross-Site Scripting (XSS).This issue affects Discussion Board: from n/a through 2.4.8. | |||||
CVE-2023-47663 | 2024-06-04 | N/A | 4.6 MEDIUM | ||
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Menno Luitjes Foyer allows Code Injection.This issue affects Foyer: from n/a through 1.7.5. | |||||
CVE-2023-45053 | 2024-06-04 | N/A | 4.3 MEDIUM | ||
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in pluginever WP Content Pilot – Autoblogging & Affiliate Marketing Plugin allows Code Injection.This issue affects WP Content Pilot – Autoblogging & Affiliate Marketing Plugin: from n/a through 1.3.3. | |||||
CVE-2023-40557 | 2024-06-04 | N/A | 5.4 MEDIUM | ||
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in PickPlugins Tabs & Accordion allows Code Injection.This issue affects Tabs & Accordion: from n/a through 1.3.10. | |||||
CVE-2023-48285 | 2024-06-04 | N/A | 5.3 MEDIUM | ||
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.This issue affects Stripe Payments: from n/a through 2.0.79. | |||||
CVE-2024-35224 | 2024-05-24 | N/A | 7.6 HIGH | ||
OpenProject is the leading open source project management software. OpenProject utilizes `tablesorter` inside of the Cost Report feature. This dependency, when misconfigured, can lead to Stored XSS via `{icon}` substitution in table header values. This attack requires the permissions "Edit work packages" as well as "Add attachments". A project admin could attempt to escalate their privileges by sending this XSS to a System Admin. Otherwise, if a full System Admin is required, then this attack is significantly less impactful. By utilizing a ticket's attachment, you can store javascript in the application itself and bypass the application's CSP policy to achieve Stored XSS. This vulnerability has been patched in version(s) 14.1.0, 14.0.2 and 13.4.2. | |||||
CVE-2024-24874 | 2024-05-17 | N/A | 5.3 MEDIUM | ||
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in CodePeople CP Polls allows Code Injection.This issue affects CP Polls: from n/a through 1.0.71. | |||||
CVE-2024-23522 | 2024-05-17 | N/A | 5.3 MEDIUM | ||
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Strategy11 Form Builder Team Formidable Forms allows Code Injection.This issue affects Formidable Forms: from n/a through 6.7. | |||||
CVE-2024-32790 | 2024-05-17 | N/A | 4.3 MEDIUM | ||
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Supsystic Pricing Table by Supsystic allows Code Injection.This issue affects Pricing Table by Supsystic: from n/a through 1.9.12. | |||||
CVE-2024-4214 | 2024-05-17 | N/A | 2.7 LOW | ||
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS vulnerability in Bill Minozzi Car Dealer allows Code Injection.This issue affects Car Dealer: from n/a through 4.15. | |||||
CVE-2024-0183 | 2024-05-17 | 3.3 LOW | 4.8 MEDIUM | ||
A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/students.php of the component NIA Office. The manipulation leads to basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249441 was assigned to this vulnerability. | |||||
CVE-2023-5582 | 1 Zzzcms | 1 Zzzcms | 2024-05-17 | 4.0 MEDIUM | 5.4 MEDIUM |
A vulnerability, which was classified as problematic, has been found in ZZZCMS 2.2.0. This issue affects some unknown processing of the component Personal Profile Page. The manipulation leads to basic cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-242147. | |||||
CVE-2023-3017 | 1 Lost And Found Information System Project | 1 Lost And Found Information System | 2024-05-17 | 3.3 LOW | 5.4 MEDIUM |
A vulnerability was found in SourceCodester Lost and Found Information System 1.0. It has been classified as problematic. This affects an unknown part of the file admin/?page=user/manage_user of the component Manage User Page. The manipulation of the argument First Name/Middle Name/Last Name leads to basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-230361 was assigned to this vulnerability. | |||||
CVE-2023-2981 | 1 Abstrium | 1 Pydio Cells | 2024-05-17 | 4.0 MEDIUM | 5.4 MEDIUM |
A vulnerability, which was classified as problematic, has been found in Abstrium Pydio Cells 4.2.0. This issue affects some unknown processing of the component Chat. The manipulation leads to basic cross site scripting. The attack may be initiated remotely. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-230213 was assigned to this vulnerability. | |||||
CVE-2022-3844 | 1 Webmin | 1 Webmin | 2024-05-17 | 4.0 MEDIUM | 6.1 MEDIUM |
A vulnerability, which was classified as problematic, was found in Webmin 2.001. Affected is an unknown function of the file xterm/index.cgi. The manipulation leads to basic cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.003 is able to address this issue. The name of the patch is d3d33af3c0c3fd3a889c84e287a038b7a457d811. It is recommended to upgrade the affected component. VDB-212862 is the identifier assigned to this vulnerability. | |||||
CVE-2018-25034 | 1 Technicolor | 2 Thomson Tcw710, Thomson Tcw710 Firmware | 2024-05-17 | 3.5 LOW | 5.4 MEDIUM |
A vulnerability, which was classified as problematic, has been found in Thomson TCW710 ST5D.10.05. This issue affects some unknown processing of the file /goform/wlanPrimaryNetwork. The manipulation of the argument ServiceSetIdentifier with the input ><script>alert(1)</script> as part of POST Request leads to basic cross site scripting (Persistent). The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-126695. | |||||
CVE-2024-34070 | 2024-05-14 | N/A | 9.6 CRITICAL | ||
Froxlor is open source server administration software. Prior to 2.1.9, a Stored Blind Cross-Site Scripting (XSS) vulnerability was identified in the Failed Login Attempts Logging Feature of the Froxlor Application. An unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. By exploiting this vulnerability, the attacker can perform various malicious actions such as forcing the Administrator to execute actions without their knowledge or consent. For instance, the attacker can force the Administrator to add a new administrator controlled by the attacker, thereby giving the attacker full control over the application. This vulnerability is fixed in 2.1.9. | |||||
CVE-2024-34699 | 2024-05-14 | N/A | 6.5 MEDIUM | ||
GZ::CTF is a capture the flag platform. Prior to 0.20.1, unprivileged user can perform cross-site scripting attacks on other users by constructing malicious team names. This problem has been fixed in `v0.20.1`. | |||||
CVE-2024-27306 | 2024-05-02 | N/A | 6.1 MEDIUM | ||
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. | |||||
CVE-2024-32966 | 2024-05-01 | N/A | 5.8 MEDIUM | ||
Static Web Server (SWS) is a tiny and fast production-ready web server suitable to serve static web files or assets. In affected versions if directory listings are enabled for a directory that an untrusted user has upload privileges for, a malicious file name like `<img src=x onerror=alert(1)>.txt` will allow JavaScript code execution in the context of the web server’s domain. SWS generally does not perform escaping of HTML entities on any values inserted in the directory listing. At the very least `file_name` and `current_path` could contain malicious data however. `file_uri` could also be malicious but the relevant scenarios seem to be all caught by hyper. For any web server that allow users to upload files or create directories under a name of their choosing this becomes a stored Cross-site Scripting vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability. |