Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-44047 | 1 Idxbroker | 1 Impress For Idx Broker | 2024-09-24 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in IDX Broker IMPress for IDX Broker allows Stored XSS.This issue affects IMPress for IDX Broker: from n/a through 3.2.2.
|
|||||
| CVE-2024-44049 | 1 Themehunk | 1 Gutenberg Blocks | 2024-09-24 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks – Unlimited blocks For Gutenberg allows Stored XSS.This issue affects Gutenberg Blocks – Unlimited blocks For Gutenberg: from n/a through 1.2.7.
|
|||||
| CVE-2024-44050 | 1 Cryoutcreations | 1 Verbosa | 2024-09-24 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Verbosa allows Stored XSS.This issue affects Verbosa: from n/a through 1.2.3.
|
|||||
| CVE-2024-44051 | 1 Vanderwijk | 1 Content Blocks | 2024-09-24 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Johan van der Wijk Content Blocks (Custom Post Widget) allows Stored XSS.This issue affects Content Blocks (Custom Post Widget): from n/a through 3.3.5.
|
|||||
| CVE-2024-45451 | 1 Cryoutcreations | 1 Roseta | 2024-09-24 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Roseta allows Stored XSS.This issue affects Roseta: from n/a through 1.3.0.
|
|||||
| CVE-2024-43985 | 1 Mage-people | 1 Bus Ticket Booking With Seat Reservation | 2024-09-24 | N/A | 4.8 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in MagePeople Team Bus Ticket Booking with Seat Reservation allows Stored XSS.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through 5.3.5.
|
|||||
| CVE-2024-43977 | 1 Posimyth | 1 The Plus Addons For Elementor | 2024-09-24 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows Stored XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.6.2.
|
|||||
| CVE-2024-45399 | 1 Cern | 1 Indico | 2024-09-24 | N/A | 6.1 MEDIUM |
|
Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In Indico prior to version 3.3.4, corresponding to Flask-Multipass prior to version 0.5.5, there is a Cross-Site-Scripting vulnerability during account creation when redirecting to the `next` URL. Exploitation requires initiating the account creation process with a maliciously crafted link, and then finalizing the signup process. Because of this, it can only target newly created (and ...
Show More |
|||||
| CVE-2022-25774 | 1 Acquia | 1 Mautic | 2024-09-23 | N/A | 5.4 MEDIUM |
|
Prior to the patched version, logged in users of Mautic are vulnerable to a self XSS vulnerability in the notifications within Mautic.
Users could inject malicious code into the notification when saving Dashboards.
|
|||||
| CVE-2024-8660 | 1 Concretecms | 1 Concrete Cms | 2024-09-23 | N/A | 4.8 MEDIUM |
|
Concrete CMS versions 9.0.0 through 9.3.3 are affected by a
stored XSS vulnerability in the "Top Navigator Bar" block.
Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6
with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4. ...
Show More |
|||||
| CVE-2024-8951 | 1 Oretnom23 | 1 Resort Reservation System | 2024-09-23 | 4.0 MEDIUM | 6.1 MEDIUM |
|
A vulnerability classified as problematic was found in SourceCodester Resort Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file manage_fee.php. The manipulation of the argument toview leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-8653 | 1 Netcat | 1 Netcat Content Management System | 2024-09-23 | N/A | 6.1 MEDIUM |
|
A vulnerability in NetCat CMS allows an attacker to execute JavaScript code in a user's browser when they visit specific paths on the site.
This issue affects NetCat CMS v. 6.4.0.24126.2 and possibly others.
Apply patch from vendor https://netcat.ru/ https://netcat.ru/] . Versions 6.4.0.24248 and on have the patch.
|
|||||
| CVE-2024-8652 | 1 Netcat | 1 Netcat Content Management System | 2024-09-23 | N/A | 6.1 MEDIUM |
|
A vulnerability in NetCat CMS allows an attacker to execute JavaScript code in a user's browser when they visit specific path on the site.
This issue affects NetCat CMS v. 6.4.0.24126.2 and possibly others.
Apply patch from vendor https://netcat.ru/ https://netcat.ru/] . Versions 6.4.0.24248 and on have the patch.
|
|||||
| CVE-2024-38221 | 1 Microsoft | 1 Edge Chromium | 2024-09-23 | N/A | 4.3 MEDIUM |
|
Microsoft Edge (Chromium-based) Spoofing Vulnerability
|
|||||
| CVE-2024-44056 | 1 Cryoutcreations | 1 Mantra | 2024-09-23 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Mantra allows Stored XSS.This issue affects Mantra: from n/a through 3.3.2.
|
|||||
| CVE-2024-44057 | 1 Cryoutcreations | 1 Nirvana | 2024-09-23 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Nirvana allows Stored XSS.This issue affects Nirvana: from n/a through 1.6.3.
|
|||||
| CVE-2024-44058 | 1 Cryoutcreations | 1 Parabola | 2024-09-23 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Parabola allows Stored XSS.This issue affects Parabola: from n/a through 2.4.1.
|
|||||
| CVE-2024-44054 | 1 Cryoutcreations | 1 Fluida | 2024-09-23 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Fluida allows Stored XSS.This issue affects Fluida: from n/a through 1.8.8.
|
|||||
| CVE-2024-45595 | 1 Man | 1 D-tale | 2024-09-20 | N/A | 9.8 CRITICAL |
|
D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.
|
|||||
| CVE-2024-45592 | 1 Damienharper | 1 Auditor-bundle | 2024-09-20 | N/A | 6.1 MEDIUM |
|
auditor-bundle, formerly known as DoctrineAuditBundle, integrates auditor library into any Symfony 3.4+ application. Prior to version 5.2.6, there is an unescaped entity property enabling Javascript injection. This is possible because `%source_label%` in twig macro is not escaped. Therefore script tags can be inserted and are executed. The vulnerability is fixed in versions 6.0.0 and 5.2.6.
|
|||||
| CVE-2024-43800 | 1 Openjsf | 1 Serve-static | 2024-09-20 | N/A | 4.7 MEDIUM |
|
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
|
|||||
| CVE-2024-8776 | 1 Intumit | 2 Smartrobot, Smartrobot Firmware | 2024-09-20 | N/A | 6.1 MEDIUM |
|
SmartRobot from INTUMIT does not properly validate a specific page parameter, allowing unautheticated remote attackers to inject JavaScript code to the parameter for Reflected Cross-site Scripting attacks.
|
|||||
| CVE-2024-43796 | 1 Openjsf | 1 Express | 2024-09-20 | N/A | 4.7 MEDIUM |
|
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
|
|||||
| CVE-2024-8863 | 1 Aimstack | 1 Aim | 2024-09-20 | 4.0 MEDIUM | 5.4 MEDIUM |
|
A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-8866 | 1 Autocms Project | 1 Autocms | 2024-09-20 | 5.0 MEDIUM | 6.1 MEDIUM |
|
A vulnerability was found in AutoCMS 5.4. It has been classified as problematic. This affects an unknown part of the file /admin/robot.php. The manipulation of the argument sidebar leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2023-50883 | 1 Onlyoffice | 1 Document Server | 2024-09-20 | N/A | 6.1 MEDIUM |
|
ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox escape is possible by directly calling the constructor of the Function object. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446.
|
|||||
| CVE-2024-46970 | 1 Jetbrains | 1 Intellij Idea | 2024-09-20 | N/A | 6.1 MEDIUM |
|
In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible
|
|||||
| CVE-2024-45800 | 2024-09-20 | N/A | 5.0 MEDIUM | ||
|
Snappymail is an open source web-based email client. SnappyMail uses the `cleanHtml()` function to cleanup HTML and CSS in emails. Research discovered that the function has a few bugs which cause an mXSS exploit. Because the function allowed too many (invalid) HTML elements, it was possible (with incorrect markup) to trick the browser to "fix" the broken markup into valid markup. As a result a motivated attacker may be able to inject javascript. However, due to the default Content Security Polic ...
Show More |
|||||
| CVE-2024-43938 | 2024-09-20 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jeroen Peters Name Directory allows Reflected XSS.This issue affects Name Directory: from n/a through 1.29.0.
|
|||||
| CVE-2024-7873 | 2024-09-20 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Encoding or Escaping of Output, CWE - 83 Improper Neutralization of Script in Attributes in a Web Page vulnerability in Veribilim Software Veribase Order allows Stored XSS, Cross-Site Scripting (XSS), Exploit Script-Based APIs, XSS Through HTTP Headers.This issue affects Veribase Order: before v4.010.3.
|
|||||
| CVE-2024-45812 | 2024-09-20 | N/A | 6.4 MEDIUM | ||
|
Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of no ...
Show More |
|||||
| CVE-2024-7737 | 2024-09-20 | N/A | 8.7 HIGH | ||
|
A stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.
|
|||||
| CVE-2024-7785 | 2024-09-20 | N/A | N/A | ||
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ece Software Electronic Ticket System allows Reflected XSS, Cross-Site Scripting (XSS).This issue affects Electronic Ticket System: before 2024.08.
|
|||||
| CVE-2024-38208 | 2 Google, Microsoft | 2 Android, Edge | 2024-09-19 | N/A | 6.1 MEDIUM |
|
Microsoft Edge for Android Spoofing Vulnerability
|
|||||
| CVE-2024-1384 | 1 Averta | 1 Auxinportfolio | 2024-09-19 | N/A | 5.4 MEDIUM |
|
The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aux_recent_portfolios_grid' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-1056 | 1 Funnelkit | 1 Funnel Builder | 2024-09-19 | N/A | 5.4 MEDIUM |
|
The FunnelKit Funnel Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allow_iframe_tag_in_post' function which uses the 'wp_kses_allowed_html' filter to globally allow script and iframe tags in posts in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-45457 | 1 Spiffyplugins | 1 Spiffy Calendar | 2024-09-19 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Spiffy Plugins Spiffy Calendar allows Stored XSS.This issue affects Spiffy Calendar: from n/a through 4.9.13.
|
|||||
| CVE-2024-41959 | 1 Mailcow | 1 Mailcow\ | 2024-09-19 | N/A | 6.1 MEDIUM |
|
mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user's browser. This could lead to unauthorized actions, data theft, or further exploitation of the affected system. This issue has been addressed in the `2024-07` release. All users are advised to upg ...
Show More |
|||||
| CVE-2024-41960 | 1 Mailcow | 1 Mailcow\ | 2024-09-19 | N/A | 4.8 MEDIUM |
|
mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user's browser. This could lead to data theft, or further exploitation. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no kno ...
Show More |
|||||
| CVE-2024-34343 | 1 Nuxt | 1 Nuxt | 2024-09-19 | N/A | 6.1 MEDIUM |
|
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies. The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol. After this, the URL i ...
Show More |
|||||