Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-49641 | 1 Tidaweb | 1 Tida Url Screenshot | 2024-10-31 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Tidaweb Tida URL Screenshot allows Reflected XSS.This issue affects Tida URL Screenshot: from n/a through 1.0.
|
|||||
| CVE-2024-49639 | 1 Edwardstoever | 1 Monitor.chat | 2024-10-31 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Edward Stoever Monitor.Chat allows Reflected XSS.This issue affects Monitor.Chat: from n/a through 1.1.1.
|
|||||
| CVE-2024-49638 | 1 Aliazlan | 1 Risk Warning Bar | 2024-10-31 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ali Azlan Risk Warning Bar allows Reflected XSS.This issue affects Risk Warning Bar: from n/a through 1.0.
|
|||||
| CVE-2024-49635 | 1 Manzurulhaque | 1 Banner Slider | 2024-10-31 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Manzurul Haque Banner Slider allows Reflected XSS.This issue affects Banner Slider: from n/a through 2.1.
|
|||||
| CVE-2024-49637 | 1 Foxskav | 1 Bet Wc 2018 Russia | 2024-10-31 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Foxskav Bet WC 2018 Russia allows Reflected XSS.This issue affects Bet WC 2018 Russia: from n/a through 2.1.
|
|||||
| CVE-2024-49636 | 1 Prashantmavinkurve | 1 Agile Video Player Lite | 2024-10-31 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Prashant Mavinkurve Agile Video Player Lite allows Reflected XSS.This issue affects Agile Video Player Lite: from n/a through 1.0.
|
|||||
| CVE-2024-20460 | 1 Cisco | 4 Ata 191, Ata 191 Firmware, Ata 192 and 1 more | 2024-10-31 | N/A | 6.1 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco ATA 190 Series Analog Telephone Adapter firmware could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user.
This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the ...
Show More |
|||||
| CVE-2024-43795 | 1 Openc3 | 1 Cosmos | 2024-10-31 | N/A | 6.1 MEDIUM |
|
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. The login functionality contains a reflected cross-site scripting (XSS) vulnerability. This vulnerability is fixed in 5.19.0. Note: This CVE only affects Open Source Edition, and not OpenC3 COSMOS Enterprise Edition.
|
|||||
| CVE-2024-50501 | 1 Climaxthemes | 1 Kata Plus | 2024-10-31 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Climax Themes Kata Plus allows Stored XSS.This issue affects Kata Plus: from n/a through 1.4.7.
|
|||||
| CVE-2024-50502 | 1 Cozythemes | 1 Cozy Blocks | 2024-10-31 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CozyThemes Cozy Blocks allows Stored XSS.This issue affects Cozy Blocks: from n/a through 2.0.18.
|
|||||
| CVE-2024-50472 | 1 Amilia | 1 Store | 2024-10-31 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Martin Drapeau Amilia Store allows Stored XSS.This issue affects Amilia Store: from n/a through 2.9.8.
|
|||||
| CVE-2024-50471 | 1 Checklist | 1 Trip Plan | 2024-10-31 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Checklist Trip Plan allows Stored XSS.This issue affects Trip Plan: from n/a through 1.0.10.
|
|||||
| CVE-2024-50470 | 1 Themes4wp | 1 Youtube External Subtitles | 2024-10-31 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themes4WP Themes4WP YouTube External Subtitles allows Stored XSS.This issue affects Themes4WP YouTube External Subtitles: from n/a through 1.0.
|
|||||
| CVE-2024-10374 | 1 Butlerblog | 1 Wp-members | 2024-10-31 | N/A | 5.4 MEDIUM |
|
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_loginout shortcode in all versions up to, and including, 3.4.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-45715 | 1 Solarwinds | 1 Solarwinds Platform | 2024-10-30 | N/A | 6.1 MEDIUM |
|
The SolarWinds Platform was susceptible to a Cross-Site Scripting vulnerability when performing an edit function to existing elements.
|
|||||
| CVE-2021-4452 | 1 Gtranslate | 1 Google Language Translator | 2024-10-30 | N/A | 5.4 MEDIUM |
|
The Google Language Translator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in versions up to, and including, 6.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Specifically affects users with older browsers that lack proper URL encoding su ...
Show More |
|||||
| CVE-2017-20193 | 1 Woo | 1 Product Vendors | 2024-10-30 | N/A | 6.1 MEDIUM |
|
The Product Vendors is vulnerable to Reflected Cross-Site Scripting via the 'vendor_description' parameter in versions up to, and including, 2.0.35 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-46538 | 1 Netgate | 1 Pfsense | 2024-10-30 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.
|
|||||
| CVE-2024-48396 | 2024-10-30 | N/A | 6.1 MEDIUM | ||
|
AIML Chatbot 1.0 (fixed in 2.0) is vulnerable to Cross Site Scripting (XSS). The vulnerability is exploited through the message input field, where attackers can inject malicious HTML or JavaScript code. The chatbot fails to sanitize these inputs, leading to the execution of malicious scripts.
|
|||||
| CVE-2024-42550 | 2024-10-30 | N/A | 5.4 MEDIUM | ||
|
A cross-site scripting (XSS) vulnerability in the component /email/welcome.php of Mini Inventory and Sales Management System commit 18aa3d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter.
|
|||||
| CVE-2024-45714 | 1 Solarwinds | 1 Serv-u | 2024-10-30 | N/A | 4.1 MEDIUM |
|
Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users’ permissions can modify a variable with a payload.
|
|||||
| CVE-2024-49268 | 1 Sunburntkamel | 1 Disconnected | 2024-10-30 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in sunburntkamel disconnected allows Reflected XSS.This issue affects disconnected: from n/a through 1.3.0.
|
|||||
| CVE-2024-49265 | 1 Booking | 1 Banner Creator | 2024-10-30 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Partnerships at Booking.Com Booking.Com Banner Creator allows Stored XSS.This issue affects Booking.Com Banner Creator: from n/a through 1.4.6.
|
|||||
| CVE-2024-49211 | 1 Archerirm | 1 Archer | 2024-10-30 | N/A | 6.1 MEDIUM |
|
Reflected XSS was discovered in a Dashboard Listing Archer Platform UX page in Archer Platform 6.x before version 2024.08. A remote unauthenticated attacker could potentially exploit this by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web application; the malicious code is then reflected back to the victim and executed by the web browser in the context of the vulnerable web application.
|
|||||
| CVE-2024-49210 | 1 Archerirm | 1 Archer | 2024-10-30 | N/A | 6.1 MEDIUM |
|
Reflected XSS was discovered in an iView List Archer Platform UX page in Archer Platform 6.x before version 2024.09. A remote unauthenticated attacker could potentially exploit this by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web application; the malicious code is then reflected back to the victim and executed by the web browser in the context of the vulnerable web application.
|
|||||
| CVE-2024-9231 | 1 Butlerblog | 1 Wp-members | 2024-10-30 | N/A | 6.1 MEDIUM |
|
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.9.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-10433 | 1 Projectworlds | 1 Simple Web-based Chat Application | 2024-10-30 | 4.0 MEDIUM | 6.1 MEDIUM |
|
A vulnerability was found in Project Worlds Simple Web-Based Chat Application 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument Name/Comment leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions different parameters to be affected which do not correlate with the screenshots of a successf ...
Show More |
|||||
| CVE-2024-47063 | 1 Cvat | 1 Computer Vision Annotation Tool | 2024-10-30 | N/A | 6.1 MEDIUM |
|
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If a malicious CVAT user with permissions to either create a task, or edit an existing task can trick another logged-in user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this issue.
|
|||||
| CVE-2024-47064 | 1 Cvat | 1 Computer Vision Annotation Tool | 2024-10-30 | N/A | 6.1 MEDIUM |
|
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this issue.
|
|||||
| CVE-2024-47878 | 1 Openrefine | 1 Openrefine | 2024-10-30 | N/A | 6.1 MEDIUM |
|
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue.
|
|||||
| CVE-2024-47880 | 1 Openrefine | 1 Openrefine | 2024-10-30 | N/A | 6.9 MEDIUM |
|
OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in ...
Show More |
|||||
| CVE-2022-4971 | 1 Heateor | 1 Sassy Social Share | 2024-10-30 | N/A | 6.1 MEDIUM |
|
The Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'urls' parameter called via the 'heateor_sss_sharing_count' AJAX action in versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2022-4973 | 1 Wordpress | 1 Wordpress | 2024-10-30 | N/A | 5.4 MEDIUM |
|
WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page.
|
|||||
| CVE-2024-48119 | 1 Vtiger | 1 Vtiger Crm | 2024-10-30 | N/A | 5.4 MEDIUM |
|
Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML.
|
|||||
| CVE-2024-10348 | 1 Mayurik | 1 Best House Rental Management System | 2024-10-30 | 4.0 MEDIUM | 5.4 MEDIUM |
|
A vulnerability was found in SourceCodester Best House Rental Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?page=tenants of the component Manage Tenant Details. The manipulation of the argument Last Name/First Name/Middle Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only shows the field "Last Name" ...
Show More |
|||||
| CVE-2024-48448 | 2024-10-29 | N/A | 6.1 MEDIUM | ||
|
An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into the tracker comments page.
|
|||||
| CVE-2024-41519 | 1 Mecodia | 1 Feripro | 2024-10-29 | N/A | 5.4 MEDIUM |
|
Feripro <= v2.2.3 is vulnerable to Cross Site Scripting (XSS) via "/admin/programm/<program_id>/zuordnung/veranstaltungen/<event_id>" through the "school" input field.
|
|||||
| CVE-2024-48120 | 1 X2engine | 1 X2crm | 2024-10-29 | N/A | 5.4 MEDIUM |
|
X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list.
|
|||||
| CVE-2024-10414 | 1 Phpgurukul | 1 Vehicle Record System | 2024-10-29 | 3.3 LOW | 4.8 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in PHPGurukul Vehicle Record System 1.0. This affects an unknown part of the file /admin/edit-brand.php. The manipulation of the argument Brand Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions the parameter "phone_number" to be affected. But this might be a mistake because the textbox field label ...
Show More |
|||||
| CVE-2024-10412 | 1 Poco-z | 1 Guns-medial | 2024-10-29 | 4.0 MEDIUM | 5.4 MEDIUM |
|
A vulnerability was found in Poco-z Guns-Medical 1.0. It has been declared as problematic. Affected by this vulnerability is the function upload of the file /mgr/upload of the component File Upload. The manipulation of the argument picture leads to cross site scripting. The attack can be launched remotely.
|
|||||