Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-39629 | 1 Themegrill | 1 Himalayas | 2024-09-11 | N/A | 4.8 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ThemeGrill Himalayas allows Stored XSS.This issue affects Himalayas: from n/a through 1.3.2.
|
|||||
| CVE-2024-39631 | 1 Contest-gallery | 1 Contest Gallery | 2024-09-11 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Contest Gallery allows Stored XSS.This issue affects Contest Gallery: from n/a through 23.1.2.
|
|||||
| CVE-2024-39643 | 1 Metagauss | 1 Registrationmagic | 2024-09-11 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in RegistrationMagic Forms RegistrationMagic allows Stored XSS.This issue affects RegistrationMagic: from n/a through 6.0.0.1.
|
|||||
| CVE-2024-39644 | 1 Modernaweb | 1 Black Widgets For Elementor | 2024-09-11 | N/A | 5.4 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Modernaweb Studio Black Widgets For Elementor allows Stored XSS.This issue affects Black Widgets For Elementor: from n/a through 1.3.5.
|
|||||
| CVE-2024-39646 | 1 Kunalnagar | 1 Custom 404 Pro | 2024-09-11 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kunal Nagar Custom 404 Pro allows Reflected XSS.This issue affects Custom 404 Pro: from n/a through 3.11.1.
|
|||||
| CVE-2024-39647 | 1 Kofimokome | 1 Message Filter For Contact Form 7 | 2024-09-11 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kofi Mokome Message Filter for Contact Form 7 allows Reflected XSS.This issue affects Message Filter for Contact Form 7: from n/a through 1.6.1.1.
|
|||||
| CVE-2024-6894 | 1 Rdstation | 1 Rd Station | 2024-09-11 | N/A | 5.4 MEDIUM |
|
The RD Station plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.3.2 due to insufficient input sanitization and output escaping of post metaboxes added by the plugin. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-8363 | 1 Share-this-image | 1 Share This Image | 2024-09-11 | N/A | 5.4 MEDIUM |
|
The Share This Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's STI Buttons shortcode in all versions up to, and including, 2.02 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-23906 | 2024-09-11 | N/A | 6.1 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation (CWE-79) in the Controller 6000 and Controller 7000 diagnostic webpage allows an attacker to modify Controller configuration during an authenticated Operator's session.
This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR ...
Show More |
|||||
| CVE-2024-6859 | 1 Ngothang | 1 Wp Multitasking | 2024-09-11 | N/A | 5.4 MEDIUM |
|
The WP MultiTasking WordPress plugin through 0.1.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-8572 | 1 Gouniverse | 1 Golang Cms | 2024-09-11 | 4.0 MEDIUM | 6.1 MEDIUM |
|
A vulnerability was found in Gouniverse GoLang CMS 1.4.0. It has been declared as problematic. This vulnerability affects the function PageRenderHtmlByAlias of the file FrontendHandler.go. The manipulation of the argument alias leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.4.1 is able to address this issue. The patch is identified as 3e661cdfb4beeb9fe2ad507cdb8104c0b17d072c. It is recommended to upgrade the affected component.
|
|||||
| CVE-2024-7204 | 1 Ai3 | 1 Qbibot | 2024-09-11 | N/A | 6.1 MEDIUM |
|
Ai3 QbiBot does not properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. Once the recipient views the message, they will be subject to a Stored XSS attack.
|
|||||
| CVE-2024-21897 | 1 Qnap | 2 Qts, Quts Hero | 2024-09-11 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.6.2722 build 20240402 and later
QuTS hero h5.1.6.2734 build 20240414 and later
|
|||||
| CVE-2023-50366 | 1 Qnap | 2 Qts, Quts Hero | 2024-09-11 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.6.2722 build 20240402 and later
QuTS hero h5.1.6.2734 build 20240414 and later
|
|||||
| CVE-2024-43381 | 1 Yogeshojha | 1 Rengine | 2024-09-11 | N/A | 5.4 MEDIUM |
|
reNgine is an automated reconnaissance framework for web applications. Versions 2.1.2 and prior are susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability occurs when scanning a domain, and if the target domain's DNS record contains an XSS payload, it leads to the execution of malicious scripts in the reNgine's dashboard view when any user views the scan results. The XSS payload is directly fetched from the DNS record of the remote target domain. Consequently, an attacker c ...
Show More |
|||||
| CVE-2024-8604 | 1 Online Food Ordering System Project | 1 Online Food Ordering System | 2024-09-10 | 5.0 MEDIUM | 6.1 MEDIUM |
|
A vulnerability classified as problematic has been found in SourceCodester Online Food Ordering System 2.0. This affects an unknown part of the file index.php of the component Create an Account Page. The manipulation of the argument First Name/Last Name leads to cross site scripting. It is possible to initiate the attack remotely.
|
|||||
| CVE-2024-8583 | 1 Oretnom23 | 1 Online Bank Management System | 2024-09-10 | 4.0 MEDIUM | 5.4 MEDIUM |
|
A vulnerability was found in SourceCodester Online Bank Management System and Online Bank Management System - 1.0. It has been classified as problematic. This affects an unknown part of the file /mfeedback.php of the component Feedback Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-8582 | 1 Oretnom23 | 1 Food Ordering Management System | 2024-09-10 | 4.0 MEDIUM | 6.1 MEDIUM |
|
A vulnerability was found in SourceCodester Food Ordering Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument description leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-8566 | 1 Online Shop Store Project | 1 Online Shop Store | 2024-09-10 | 5.0 MEDIUM | 6.1 MEDIUM |
|
A vulnerability classified as problematic was found in code-projects Online Shop Store 1.0. This vulnerability affects unknown code of the file /settings.php. The manipulation of the argument error leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-8563 | 1 Rems | 1 Php Crud | 2024-09-10 | 4.0 MEDIUM | 6.1 MEDIUM |
|
A vulnerability was found in SourceCodester PHP CRUD 1.0. It has been classified as problematic. This affects an unknown part of the file /endpoint/update.php. The manipulation of the argument first_name/middle_name/last_name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-8562 | 1 Rems | 1 Php Crud | 2024-09-10 | 4.0 MEDIUM | 6.1 MEDIUM |
|
A vulnerability was found in SourceCodester PHP CRUD 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /endpoint/Add.php. The manipulation of the argument first_name/middle_name/last_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-8554 | 1 Oretnom23 | 1 Clinic\'s Patient Management System | 2024-09-10 | 4.0 MEDIUM | 5.4 MEDIUM |
|
A vulnerability was found in SourceCodester Clinics Patient Management System 2.0 and classified as problematic. This issue affects some unknown processing of the file /users.php. The manipulation of the argument message leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-45279 | 2024-09-10 | N/A | 6.1 MEDIUM | ||
|
Due to insufficient input validation, CRM Blueprint Application Builder Panel of SAP NetWeaver Application Server for ABAP allows an unauthenticated attacker to craft a URL link which could embed a malicious JavaScript. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.
|
|||||
| CVE-2024-45280 | 2024-09-10 | N/A | 4.8 MEDIUM | ||
|
Due to insufficient encoding of user-controlled inputs, SAP NetWeaver AS Java allows malicious scripts to be executed in the login application. This has a limited impact on confidentiality and integrity of the application. There is no impact on availability.
|
|||||
| CVE-2024-42378 | 2024-09-10 | N/A | 6.1 MEDIUM | ||
|
Due to weak encoding of user-controlled inputs, eProcurement on SAP S/4HANA allows malicious scripts to be executed in the application, potentially leading to a Reflected Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application, but it can have some minor impact on its confidentiality and integrity.
|
|||||
| CVE-2024-44120 | 2024-09-10 | N/A | 4.7 MEDIUM | ||
|
SAP NetWeaver Enterprise Portal is vulnerable to reflected cross site scripting due to insufficient encoding of user-controlled input. An unauthenticated attacker could craft a malicious URL and trick a user to click it. If the victim clicks on this crafted URL before it times out, then the attacker could read and manipulate user content in the browser.
|
|||||
| CVE-2024-7644 | 1 Rems | 1 Leads Manager Tool | 2024-09-09 | 4.0 MEDIUM | 5.4 MEDIUM |
|
A vulnerability was found in SourceCodester Leads Manager Tool 1.0. It has been classified as problematic. This affects an unknown part of the file /endpoint/add-leads.php of the component Add Leads Handler. The manipulation of the argument leads_name/phone_number leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2024-44796 | 1 Xiebruce | 1 Picuploader | 2024-09-06 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the component /auth/AzureRedirect.php of PicUploader commit fcf82ea allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the error_description parameter.
|
|||||
| CVE-2024-44919 | 1 Seacms | 1 Seacms | 2024-09-06 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the component admin_ads.php of SeaCMS v12.9 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ad description parameter.
|
|||||
| CVE-2024-44797 | 1 Gazelle Project | 1 Gazelle | 2024-09-06 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the component /managers/enable_requests.php of Gazelle commit 63b3370 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the view parameter.
|
|||||
| CVE-2024-41947 | 1 Xwiki | 1 Xwiki | 2024-09-06 | N/A | 5.4 MEDIUM |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1.
|
|||||
| CVE-2024-6498 | 1 Micro.company | 1 Collect.chat | 2024-09-06 | N/A | 4.8 MEDIUM |
|
The Chatbot for WordPress by Collect.chat ⚡️ WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-20488 | 1 Cisco | 1 Unified Communications Manager | 2024-09-06 | N/A | 6.1 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface.
This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a ...
Show More |
|||||
| CVE-2024-8119 | 1 Wpextended | 1 Wp Extended | 2024-09-06 | N/A | 6.1 MEDIUM |
|
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the page parameter in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-8117 | 1 Wpextended | 1 Wp Extended | 2024-09-06 | N/A | 6.1 MEDIUM |
|
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘selected_option’ parameter in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-44728 | 1 Angeljudesuarez | 1 Event Management System | 2024-09-06 | N/A | 6.1 MEDIUM |
|
Sourcecodehero Event Management System 1.0 allows Stored Cross-Site Scripting via parameters Full Name, Address, Email, and contact# in /clientdetails/admin/regester.php.
|
|||||
| CVE-2024-8473 | 1 Phpgurukul | 1 Job Portal | 2024-09-06 | N/A | 6.1 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability, whereby user-controlled input is not sufficiently encrypted. Exploitation of this vulnerability could allow an attacker to retrieve the session details of an authenticated user through user_email parameter in /jobportal/admin/login.php.
|
|||||
| CVE-2024-8472 | 1 Phpgurukul | 1 Job Portal | 2024-09-06 | N/A | 6.1 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability, whereby user-controlled input is not sufficiently encrypted. Exploitation of this vulnerability could allow an attacker to retrieve the session details of an authenticated user through multiple parameters in /jobportal/index.php.
|
|||||
| CVE-2024-8471 | 1 Phpgurukul | 1 Job Portal | 2024-09-06 | N/A | 6.1 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability, whereby user-controlled input is not sufficiently encrypted. Exploitation of this vulnerability could allow an attacker to retrieve the session details of an authenticated user through JOBID and USERNAME parameters in /jobportal/process.php.
|
|||||
| CVE-2024-42790 | 1 Lopalopa | 1 Music Management System | 2024-09-05 | N/A | 5.4 MEDIUM |
|
A Reflected Cross Site Scripting (XSS) vulnerability was found in "/music/index.php?page=test" in Kashipara Music Management System v1.0. This vulnerability allows remote attackers to execute arbitrary code via the "page" parameter.
|
|||||