Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-40731 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/rear-ports/{id}/edit/.
|
|||||
| CVE-2024-40730 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/interfaces/{id}/edit/.
|
|||||
| CVE-2024-40729 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/interfaces/add/.
|
|||||
| CVE-2024-40728 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-server-ports/{id}/edit/.
|
|||||
| CVE-2024-40727 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-server-ports/add/.
|
|||||
| CVE-2024-40726 | 1 Netbox | 1 Netbox | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-ports/{id}/edit/.
|
|||||
| CVE-2024-40690 | 1 Ibm | 1 Infosphere Information Server | 2024-11-21 | N/A | 5.4 MEDIUM |
|
IBM InfoSphere Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 297720.
|
|||||
| CVE-2024-40631 | 2024-11-21 | N/A | 8.1 HIGH | ||
|
Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do not use `urlParsers` and consume the `url` property directly may also be vulnerable if the URL is not sanitised. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. `@udecode/plate-media` 36.0.10 r ...
Show More |
|||||
| CVE-2024-40618 | 2024-11-21 | N/A | 9.6 CRITICAL | ||
|
Whale browser before 3.26.244.21 allows an attacker to execute malicious JavaScript due to improper sanitization when processing a built-in extension.
|
|||||
| CVE-2024-40600 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | N/A | 4.8 MEDIUM |
|
An issue was discovered in the Metrolook skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries.
|
|||||
| CVE-2024-3999 | 1 Spider-themes | 1 Eazydocs | 2024-11-21 | N/A | 4.8 MEDIUM |
|
The EazyDocs WordPress plugin before 2.5.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3987 | 1 Freshlightlab | 1 Wp Mobile Menu | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The WP Mobile Menu – The Mobile-Friendly Responsive Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alt text in all versions up to, and including, 2.8.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3978 | 1 Andrewabarber | 1 Wordpress Jitsi Shortcode | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-3977 | 1 Andrewabarber | 1 Wordpress Jitsi Shortcode | 2024-11-21 | N/A | 4.8 MEDIUM |
|
The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-3966 | 1 Projectcaruso | 1 Pray For Me | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The Pray For Me WordPress plugin through 1.0.4 does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP Admin
|
|||||
| CVE-2024-3951 | 2024-11-21 | N/A | 7.1 HIGH | ||
|
PTC Codebeamer is vulnerable to a cross site scripting vulnerability that could allow an attacker to inject and execute malicious code.
|
|||||
| CVE-2024-3938 | 1 Dotcms | 1 Dotcms | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The "reset password" login page accepted an HTML injection via URL parameters.
This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E
This will result in a view along these lines:
* OWASP Top 10 - A03: Injection
* CVSS Sc ...
Show More |
|||||
| CVE-2024-3896 | 1 Robogallery | 1 Robo Gallery | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the Gallery title field in all versions up to, and including, 3.2.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3850 | 1 Uniview | 2 Nvr301-04s2-p4, Nvr301-04s2-p4 Firmware | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Uniview NVR301-04S2-P4 is vulnerable to reflected cross-site scripting attack (XSS). An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser. This vulnerability also requires authentication before it can be exploited, so the scope and severity is limited. Also, even if JavaScript is executed, no additional benefits are obtained.
|
|||||
| CVE-2024-3815 | 1 Tagdiv | 1 Newspaper | 2024-11-21 | N/A | 5.5 MEDIUM |
|
The Newspaper theme for WordPress is vulnerable to Stored Cross-Site Scripting via attachment meta in the archive page in all versions up to, and including, 12.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3814 | 1 Tagdiv | 1 Tagdiv Composer | 2024-11-21 | N/A | 5.5 MEDIUM |
|
The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'single' module in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3801 | 1 Conceptintermedia | 1 S\@m Cms | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Sites managed in S@M CMS (Concept Intermedia) might be vulnerable to Reflected XSS via including scripts in one of GET header parameters.
Only a part of observed services is vulnerable, but since vendor has not investigated the root problem, it is hard to determine when the issue appears.
|
|||||
| CVE-2024-3798 | 2024-11-21 | N/A | N/A | ||
|
Insecure handling of GET header parameter file included in requests being sent to an instance of the open-source project Phoniebox allows an attacker to create a website, which – when visited by a user – will send malicious requests to multiple hosts on the local network. If such a request reaches the server, it will cause one of the following (depending on the chosen payload): shell command execution, reflected XSS or cross-site request forgery.
This issue affects Phoniebox in all releases th ...
Show More |
|||||
| CVE-2024-3766 | 2024-11-21 | 3.3 LOW | 2.4 LOW | ||
|
A vulnerability, which was classified as problematic, has been found in slowlyo OwlAdmin up to 3.5.7. Affected by this issue is some unknown functionality of the file /admin-api/upload_image of the component Image File Upload. The manipulation of the argument file leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-260606 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2024-3687 | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability was found in bihell Dice 3.1.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Comment Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-260474 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2024-3654 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
|
An XSS vulnerability has been found in Teimas Global's Teixo, version 1.42.42-stable. This vulnerability could allow an attacker to send a specially crafted JavaScript payload via the "seconds" parameter in the program's URL, resulting in a possible takeover of a registered user's session.
|
|||||
| CVE-2024-3639 | 1 Livemeshelementor | 1 Addons For Elementor | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Posts Grid widget in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3638 | 1 Livemeshelementor | 1 Addons For Elementor | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Marquee Text Widget, Testimonials Widget, and Testimonial Slider widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an ...
Show More |
|||||
| CVE-2024-3603 | 1 Hyumika | 1 Openstreetmap | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'osm_map' shortcode in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping on user supplied attributes such as 'theme'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3587 | 1 Averta | 1 Auxinportfolio | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid Portfolios Widget in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3579 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
|
Open-source project Online Shopping System Advanced is vulnerable to Reflected Cross-Site Scripting (XSS). An attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser.
|
|||||
| CVE-2024-3576 | 2024-11-21 | N/A | 8.3 HIGH | ||
|
The NPort 5100A Series firmware version v1.6 and prior versions are affected by web server XSS vulnerability. The vulnerability is caused by not correctly neutralizing user-controllable input before placing it in output. Malicious users may use the vulnerability to get sensitive information and escalate privileges.
|
|||||
| CVE-2024-3563 | 1 Wpengine | 1 Genesis Blocks | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Genesis Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sharing block in all versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3558 | 1 Custom Field Suite Project | 1 Custom Field Suite | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfs[post_title]' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3526 | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability has been found in Campcodes Online Event Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file index.php. The manipulation of the argument msg leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259897 was assigned to this vulnerability.
|
|||||
| CVE-2024-3525 | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability, which was classified as problematic, was found in Campcodes Online Event Management System 1.0. Affected is an unknown function of the file /views/index.php. The manipulation of the argument msg leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259896.
|
|||||
| CVE-2024-3524 | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability, which was classified as problematic, has been found in Campcodes Online Event Management System 1.0. This issue affects some unknown processing of the file /views/process.php. The manipulation of the argument name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259895.
|
|||||
| CVE-2024-3513 | 1 Dotcamp | 1 Ultimate Blocks | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the title tag parameter in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-3482 | 2024-11-21 | N/A | 8.7 HIGH | ||
|
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Enterprise Security Manager and ArcSight Platform. The vulnerability could be remotely exploited.
|
|||||
| CVE-2024-3469 | 1 Generatepress | 1 Generatepress | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The GP Premium plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the message parameter in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||