Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4176 | 1 Trellix | 1 Xconsole | 2024-11-21 | N/A | 4.1 MEDIUM |
|
An Cross site scripting vulnerability in the EDR XConsole before this release allowed an attacker to potentially leverage an XSS/HTML-Injection using command line variables. A malicious threat actor could execute commands on the victim's browser for sending carefully crafted malicious links to the EDR XConsole end user.
|
|||||
| CVE-2024-4174 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
|
Cross-Site Scripting (XSS) vulnerability in Hyperion Web Server affecting version 2.0.15. This vulnerability could allow an attacker to execute malicious Javascript code on the client by injecting that code into the URL.
|
|||||
| CVE-2024-4105 | 2024-11-21 | N/A | 5.8 MEDIUM | ||
|
A vulnerability has been found in FAST/TOOLS and CI Server. The affected product's WEB HMI server's function to process HTTP requests has a security flaw (Reflected XSS) that allows the execution of malicious scripts. Therefore, if a client PC with inadequate security measures accesses a product URL containing a malicious request, the malicious script may be executed on the client PC.
The affected products and versions are as follows:
FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) ...
Show More |
|||||
| CVE-2024-4077 | 2024-11-21 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AndonDesign UDesign allows Reflected XSS.This issue affects UDesign: from n/a through 4.7.3.
|
|||||
| CVE-2024-4075 | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability classified as problematic has been found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. This affects an unknown part of the file login.php. The manipulation of the argument txtAddress leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261801 was assigned to this vulnerability.
|
|||||
| CVE-2024-4074 | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability was found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file prodInfo.php. The manipulation of the argument prodId leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-261800.
|
|||||
| CVE-2024-4073 | 1 Aditya88 | 1 Online Furniture Shopping Ecommerce Website | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file prodList.php. The manipulation of the argument prodType leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-261799.
|
|||||
| CVE-2024-4072 | 1 Aditya88 | 1 Online Furniture Shopping Ecommerce Website | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in Kashipara Online Furniture Shopping Ecommerce Website 1.0. It has been classified as problematic. Affected is an unknown function of the file search.php. The manipulation of the argument txtSearch leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-261798 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2024-4042 | 1 Pickplugins | 1 Comboblocks | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the menu-wrap-item block in all versions up to, and including, 2.2.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user acces ...
Show More |
|||||
| CVE-2024-4026 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
|
Cross-Site Scripting (XSS) vulnerability in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within all editable parameters within the 'General' and 'Team ID' functionalities, which could result in a session takeover.
|
|||||
| CVE-2024-4001 | 1 Wpdownloadmanager | 1 Download Manager | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm_modal_login_form' shortcode in all versions up to, and including, 3.2.93 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-45477 | 1 Apache | 1 Nifi | 2024-11-21 | N/A | 4.6 MEDIUM |
|
Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, which the client browser will execute within the session context of the authenticated user. Upgrading to Apache NiFi 1.28.0 or 2.0.0-M4 is the recommended mitigation.
|
|||||
| CVE-2024-42831 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
|
A reflected cross-site scripting (XSS) vulnerability in Elaine's Realtime CRM Automation v6.18.17 allows attackers to execute arbitrary JavaScript code in the web browser of a user via injecting a crafted payload into the dialog parameter at wrapper_dialog.php.
|
|||||
| CVE-2024-42055 | 1 Cervantessec | 1 Cervantes | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Cervantes through 0.5-alpha allows stored XSS.
|
|||||
| CVE-2024-41943 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
|
I, Librarian is an open-source version of a PDF managing SaaS. PDF notes are displayed on the Item Summary page without any form of validation or sanitation. An attacker can exploit this vulnerability by inserting a payload in the PDF notes that contains malicious code or script. This code will then be executed when the page is loaded in the browser. The vulnerability was fixed in version 5.11.1.
|
|||||
| CVE-2024-41914 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | N/A | 8.1 HIGH |
|
A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
|
|||||
| CVE-2024-41826 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | N/A | 3.5 LOW |
|
In JetBrains TeamCity before 2024.07 stored XSS was possible on Show Connection page
|
|||||
| CVE-2024-41825 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | N/A | 4.6 MEDIUM |
|
In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab
|
|||||
| CVE-2024-41819 | 1 Enchantedcode | 1 Note Mark | 2024-11-21 | N/A | 8.7 HIGH |
|
Note Mark is a web-based Markdown notes app. A stored cross-site scripting (XSS) vulnerability in Note Mark allows attackers to execute arbitrary web scripts via a crafted payload injected into the URL value of a link in the markdown content. This vulnerability is fixed in 0.13.1.
|
|||||
| CVE-2024-41809 | 1 Openobserve | 1 Openobserve | 2024-11-21 | N/A | 7.2 HIGH |
|
OpenObserve is an open-source observability platform. Starting in version 0.4.4 and prior to version 0.10.0, OpenObserve contains a cross-site scripting vulnerability in line 32 of `openobserve/web/src/views/MemberSubscription.vue`. Version 0.10.0 sanitizes incoming html.
|
|||||
| CVE-2024-41808 | 1 Openobserve | 1 Openobserve | 2024-11-21 | N/A | 8.8 HIGH |
|
The OpenObserve open-source observability platform provides the ability to filter logs in a dashboard by the values uploaded in a given log. However, all versions of the platform through 0.9.1 do not sanitize user input in the filter selection menu, which may result in complete account takeover. It has been noted that the front-end uses `DOMPurify` or Vue templating to escape cross-site scripting (XSS) extensively, however certain areas of the front end lack this XSS protection. When combining t ...
Show More |
|||||
| CVE-2024-41805 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
|
Tracks, a Getting Things Done (GTD) web application, is vulnerable to reflected cross-site scripting in versions prior to 2.7.1. Reflected cross-site scripting enables execution of malicious JavaScript in the context of a user’s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to credential theft. Tracks version 2.7.1 is patched. No known complete workarounds are available.
|
|||||
| CVE-2024-41706 | 1 Archerirm | 1 Archer | 2024-11-21 | N/A | 7.3 HIGH |
|
A stored XSS issue was discovered in Archer Platform 6 before version 2024.06. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. 6.14 P4 (6.14.0.4) is also a fixed release.
|
|||||
| CVE-2024-41705 | 1 Archerirm | 1 Archer | 2024-11-21 | N/A | 7.1 HIGH |
|
A stored XSS issue was discovered in Archer Platform 6.8 before 2024.06. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. 6.14.P4 (6.14.0.4) and 6.13 P4 (6.13.0.4) are also fixed releases. This vulnerability is similar to, but not ...
Show More |
|||||
| CVE-2024-41676 | 1 Openmage | 1 Magento | 2024-11-21 | N/A | 4.1 MEDIUM |
|
Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerability affects the design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt system configs.They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases.
But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. The problem is patched ...
Show More |
|||||
| CVE-2024-41663 | 2024-11-21 | N/A | 3.5 LOW | ||
|
Canarytokens help track activity and actions on a network. A Cross-Site Scripting vulnerability was identified in the "Cloned Website" Canarytoken, whereby the Canarytoken's creator can attack themselves. The creator of a slow-redirect Canarytoken can insert Javascript into the destination URL of their slow redirect token. When the creator later browses the management page for their own Canarytoken, the Javascript executes. This is a self-XSS. An attacker could create a Canarytoken with this se ...
Show More |
|||||
| CVE-2024-41662 | 1 Vnote Project | 1 Vnote | 2024-11-21 | N/A | 8.6 HIGH |
|
VNote is a note-taking platform. A Cross-Site Scripting (XSS) vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code through which remote code execution can be achieved. A patch for this issue is available at commit f1af78573a0ef51d6ef6a0bc4080cddc8f30a545. Other mitigation strategies include implementing rigorous input sanitizat ...
Show More |
|||||
| CVE-2024-41640 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
|
Cross Site Scripting (XSS) vulnerability in AML Surety Eco up to 3.5 allows an attacker to run arbitrary code via crafted GET request using the id parameter.
|
|||||
| CVE-2024-41141 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
|
Stored cross-site scripting vulnerability exists in EC-CUBE Web API Plugin. When there are multiple users using OAuth Management feature and one of them inputs some crafted value on the OAuth Management page, an arbitrary script may be executed on the web browser of the other user who accessed the management page.
|
|||||
| CVE-2024-40873 | 1 Absolute | 1 Secure Access | 2024-11-21 | N/A | 4.5 MEDIUM |
|
There is a cross-site scripting vulnerability in the Secure
Access administrative console of Absolute Secure Access prior to version 13.07.
Attackers with system administrator permissions can interfere with another
system administrator’s use of the publishing UI when the administrators are
editing the same management object. The scope is unchanged, there is no loss of
confidentiality. Impact to system availability is none, impact to system
integrity is high.
|
|||||
| CVE-2024-40742 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the circuit ID parameter at /circuits/circuits/add.
|
|||||
| CVE-2024-40741 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the circuit ID parameter at /circuits/circuits/{id}/edit/.
|
|||||
| CVE-2024-40740 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-feeds/{id}/edit/.
|
|||||
| CVE-2024-40739 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-feeds/add.
|
|||||
| CVE-2024-40738 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-ports/{id}/edit/.
|
|||||
| CVE-2024-40736 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-outlets/add.
|
|||||
| CVE-2024-40735 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-outlets/{id}/edit/.
|
|||||
| CVE-2024-40734 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/front-ports/add/.
|
|||||
| CVE-2024-40733 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/front-ports/{id}/edit/.
|
|||||
| CVE-2024-40732 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/rear-ports/add/.
|
|||||