Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-5164 | 1 Sevenspark | 1 Bellows Accordion Menu | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Bellows Accordion Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5163 | 1 Weather-atlas | 1 Weather Atlas | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Weather Atlas Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shortcode-weather-atlas' shortcode in versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5141 | 1 Bannersky | 1 Bsk Contact Form 7 Blacklist | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The BSK Contact Form 7 Blacklist WordPress plugin through 1.0.1 does not sanitise and escape the inserted_count parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2023-5140 | 1 Computy | 1 Bonus For Woo | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The Bonus for Woo WordPress plugin before 5.8.3 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
|
|||||
| CVE-2023-5128 | 1 Tcd-theme | 1 Tcd Google Maps | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The TCD Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'map' shortcode in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5127 | 1 Wp Font Awesome Project | 1 Wp Font Awesome | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The WP Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping on 'icon' user supplied attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5126 | 1 Cmc3215 | 1 Delete Me | 2024-11-21 | N/A | 4.9 MEDIUM |
|
The Delete Me plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'plugin_delete_me' shortcode in versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The shortcode is not displayed to administrators, so it cannot ...
Show More |
|||||
| CVE-2023-5121 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2024-11-21 | N/A | 4.4 MEDIUM |
|
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings (the backup path parameter) in versions up to, and including, 0.9.89 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations ...
Show More |
|||||
| CVE-2023-5120 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2024-11-21 | N/A | 4.4 MEDIUM |
|
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image file path parameter in versions up to, and including, 0.9.89 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5119 | 1 Incsub | 1 Forminator | 2024-11-21 | N/A | 4.8 MEDIUM |
|
The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).
|
|||||
| CVE-2023-5118 | 1 Tungstenautomation | 1 Kofax Capture | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The application is vulnerable to Stored Cross-Site Scripting (XSS) in the endpoint /sofer/DocumentService.asc/SaveAnnotation, where input data transmitted via the POST method in the parameters author and text are not adequately sanitized and validated. This allows for the injection of malicious JavaScript code. The vulnerability was identified in the function for adding new annotations while editing document content.
Reporters inform that the vulnerability has been removed in software versions ...
Show More |
|||||
| CVE-2023-5114 | 1 Dbbee | 1 Idbbee | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The idbbee plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'idbbee' shortcode in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5113 | 1 Hp | 1133 Color Laserjet Enterprise 5700 49k98a, Color Laserjet Enterprise 5700 6qn28a, Color Laserjet Enterprise 6700 49l00a and 1130 more | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Certain HP Enterprise LaserJet and HP LaserJet Managed Printers are potentially vulnerable to denial of service due to WS-Print request and potential injections of Cross Site Scripting via jQuery-UI.
|
|||||
| CVE-2023-5112 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "specials_type_name[1]" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
|
|||||
| CVE-2023-5111 | 1 Oscommerce | 1 Oscommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability.
This vulnerability allows attackers to inject JS through the "featured_type_name[1]" parameter,
potentially leading to unauthorized execution of scripts within a user's web browser.
|
|||||
| CVE-2023-5110 | 1 Bannersky | 1 Bsk Pdf Manager | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'bsk-pdfm-category-dropdown' shortcode in versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5109 | 1 Ironikus | 1 Wp Mailto Links | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The WP Mailto Links – Protect Email Addresses plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wpml_mailto' shortcode in versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in vers ...
Show More |
|||||
| CVE-2023-5096 | 1 Jonashjalmarsson | 1 Html Filter And Csv-file Search | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The HTML filter and csv-file search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'csvsearch' shortcode in versions up to, and including, 2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5086 | 1 Maheshwaghmare | 1 Copy Anything To Clipboard | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Copy Anything to Clipboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'copy' shortcode in versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5085 | 1 Advanced Menu Widget Project | 1 Advanced Menu Widget | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Advanced Menu Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'advMenu' shortcode in versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5084 | 1 Hestiacp | 1 Hestiacp | 2024-11-21 | N/A | 3.9 LOW |
|
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.8.8.
|
|||||
| CVE-2023-5076 | 1 Ziteboard | 1 Ziteboard | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Ziteboard Online Whiteboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ziteboard' shortcode in versions up to, and including, 2.9.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5073 | 1 Jrbecart | 1 Iframe Forms | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The iframe forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'iframe' shortcode in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5071 | 1 Sitekit Project | 1 Sitekit | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Sitekit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sitekit_iframe' shortcode in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5060 | 1 Librenms | 1 Librenms | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Cross-site Scripting (XSS) - DOM in GitHub repository librenms/librenms prior to 23.9.1.
|
|||||
| CVE-2023-5052 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
|
vulnerability in Uniform Server Zero, version 10.2.5, consisting of an XSS through the /us_extra/phpinfo.php page. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and partially take over their session details.
|
|||||
| CVE-2023-5050 | 1 Bozdoz | 1 Leaflet Map | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5049 | 1 Seedprod | 1 Rafflepress | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Giveaways and Contests by RafflePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rafflepress' and 'rafflepress_gutenberg' shortcode in versions up to, and including, 1.12.0 due to insufficient input sanitization and output escaping on 'giframe' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected pa ...
Show More |
|||||
| CVE-2023-5048 | 1 Web-dorado | 1 Wp Form Builder | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The WDContactFormBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Contact_Form_Builder' shortcode in versions up to, and including, 1.0.72 due to insufficient input sanitization and output escaping on 'id' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-5026 | 1 Tongda2000 | 1 Tongda Office Anywhere | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic has been found in Tongda OA 11.10. Affected is an unknown function of the file /general/ipanel/menu_code.php?MENU_TYPE=FAV. The manipulation of the argument OA_SUB_WINDOW leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239868.
|
|||||
| CVE-2023-5025 | 1 Koha | 1 Koha | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in KOHA up to 23.05.03. It has been declared as problematic. This vulnerability affects unknown code of the file /cgi-bin/koha/catalogue/search.pl of the component MARC. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-239866 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2023-5024 | 1 Planno | 1 Planning Biblio | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in Planno 23.04.04. It has been classified as problematic. This affects an unknown part of the component Comment Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-239865 was assigned to this vulnerability.
|
|||||
| CVE-2023-5021 | 1 Oretnom23 | 1 Ac Repair And Services System | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, was found in SourceCodester AC Repair and Services System 1.0. Affected is an unknown function of the file admin/?page=system_info/contact_information. The manipulation of the argument telephone/mobile/address leads to cross site scripting. It is possible to launch the attack remotely. VDB-239862 is the identifier assigned to this vulnerability.
|
|||||
| CVE-2023-5015 | 1 Ucms Project | 1 Ucms | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability was found in UCMS 1.4.7. It has been classified as problematic. Affected is an unknown function of the file ajax.php?do=strarraylist. The manipulation of the argument strdefault leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-239856.
|
|||||
| CVE-2023-5013 | 1 Pluck-cms | 1 Pluck | 2024-11-21 | 2.1 LOW | 2.6 LOW |
|
A vulnerability has been found in Pluck CMS 4.7.18 and classified as problematic. This vulnerability affects unknown code of the file install.php of the component Installation Handler. The manipulation of the argument contents with the input <script>alert('xss')</script> leads to cross site scripting. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-239854 ...
Show More |
|||||
| CVE-2023-5001 | 1 Gopiplus | 1 Horizontal Scrolling Announcement | 2024-11-21 | N/A | 6.4 MEDIUM |
|
The Horizontal scrolling announcement for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'horizontal-scrolling' shortcode in versions up to, and including, 9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-52269 | 1 Mdaemon | 1 Securitygateway | 2024-11-21 | N/A | 4.8 MEDIUM |
|
MDaemon SecurityGateway through 9.0.3 allows XSS via a crafted Message Content Filtering rule. This might allow domain administrators to conduct attacks against global administrators.
|
|||||
| CVE-2023-52264 | 1 Thirtybees | 1 Bees Blog | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The beesblog (aka Bees Blog) component before 1.6.2 for thirty bees allows Reflected XSS because controllers/front/post.php sharing_url is mishandled.
|
|||||
| CVE-2023-52257 | 1 Logobee | 1 Logobee | 2024-11-21 | N/A | 6.1 MEDIUM |
|
LogoBee 0.2 allows updates.php?id= XSS.
|
|||||
| CVE-2023-52240 | 1 Kantega-sso | 1 Kantega Saml Sso Oidc Kerberos Single Sign-on | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The Kantega SAML SSO OIDC Kerberos Single Sign-on apps before 6.20.0 for Atlassian products allow XSS if SAML POST Binding is enabled. This affects 4.4.2 through 4.14.8 before 4.14.9, 5.0.0 through 5.11.4 before 5.11.5, and 6.0.0 through 6.19.0 before 6.20.0. The full product names are Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Data Center & Server (Kantega SSO Enterprise), Kan ...
Show More |
|||||