Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-40624 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | N/A | 5.5 MEDIUM |
|
SAP NetWeaver AS ABAP (applications based on Unified Rendering) - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 702, SAP_BASIS 731, allows an attacker to inject JavaScript code that can be executed in the web-application. An attacker could thereby control the behavior of this web-application.
|
|||||
| CVE-2023-40618 | 1 Openknowledgemaps | 1 Head Start | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in OpenKnowledgeMaps Head Start versions 4, 5, 6, 7 as well as Visual Project Explorer 1.0, allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'service' parameter in 'headstart_snapshot.php'.
|
|||||
| CVE-2023-40617 | 1 Openknowledgemaps | 1 Head Start | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in OpenKnowledgeMaps Head Start 7 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'file' parameter in 'displayPDF.php'.
|
|||||
| CVE-2023-40605 | 1 93digital | 1 Typing Effect | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Auth. (contributor) Cross-Site Scripting (XSS) vulnerability in 93digital Typing Effect plugin <= 1.3.6 versions.
|
|||||
| CVE-2023-40604 | 1 Jesmadsen | 1 Cookies By Jm | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jes Madsen Cookies by JM plugin <= 1.0 versions.
|
|||||
| CVE-2023-40601 | 1 Estatik | 1 Estatik Mortgage Calculator | 2024-11-21 | N/A | 7.1 HIGH |
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Estatik Estatik Mortgage Calculator plugin <= 2.0.7 versions.
|
|||||
| CVE-2023-40592 | 1 Splunk | 2 Splunk, Splunk Cloud Platform | 2024-11-21 | N/A | 8.4 HIGH |
|
In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an attacker can craft a special web request that can result in reflected cross-site scripting (XSS) on the “/app/search/table” web endpoint. Exploitation of this vulnerability can lead to the execution of arbitrary commands on the Splunk platform instance.
|
|||||
| CVE-2023-40577 | 2 Debian, Prometheus | 2 Debian Linux, Alertmanager | 2024-11-21 | N/A | 7.5 HIGH |
|
Alertmanager handles alerts sent by client applications such as the Prometheus server. An attacker with the permission to perform POST requests on the /api/v1/alerts endpoint could be able to execute arbitrary JavaScript code on the users of Prometheus Alertmanager. This issue has been fixed in Alertmanager version 0.2.51.
|
|||||
| CVE-2023-40560 | 1 Toolstack | 1 Schedule Posts Calendar | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Greg Ross Schedule Posts Calendar plugin <= 5.2 versions.
|
|||||
| CVE-2023-40554 | 1 Adenion | 1 Blog2social | 2024-11-21 | N/A | 7.1 HIGH |
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Blog2Social, Adenion Blog2Social: Social Media Auto Post & Scheduler plugin <= 7.2.0 versions.
|
|||||
| CVE-2023-40553 | 1 Plausible | 1 Plausible Analytics | 2024-11-21 | N/A | 5.8 MEDIUM |
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Plausible.Io Plausible Analytics plugin <= 1.3.3 versions.
|
|||||
| CVE-2023-40552 | 1 Codeinitiator | 1 Fitness Calculators Plugin | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gurcharan Singh Fitness calculators plugin plugin <= 2.0.7 versions.
|
|||||
| CVE-2023-40535 | 1 I-pro | 1 Video Insight | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Stored cross-site scripting vulnerability in View setting page of VI Web Client prior to 7.9.6 allows a remote authenticated attacker to inject an arbitrary script.
|
|||||
| CVE-2023-40519 | 1 Broadpeak | 1 Centralized Accounts Management Auth Agent | 2024-11-21 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the bpk-common/auth/login/index.html login portal in Broadpeak Centralized Accounts Management Auth Agent 01.01.00.19219575_ee9195b0, 01.01.01.30097902_fd999e76, and 00.12.01.9565588_1254b459 allows remote attackers to inject arbitrary web script or HTML via the disconnectMessage parameter.
|
|||||
| CVE-2023-40461 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2024-11-21 | N/A | 8.1 HIGH |
|
The ACEManager
component of ALEOS 4.16 and earlier allows an
authenticated user
with Administrator privileges to access a file
upload field which
does not fully validate the file name, creating a
Stored Cross-Site
Scripting condition.
|
|||||
| CVE-2023-40460 | 1 Sierrawireless | 8 Aleos, Es450, Gx450 and 5 more | 2024-11-21 | N/A | 7.1 HIGH |
|
The ACEManager
component of ALEOS 4.16 and earlier does not
validate uploaded
file names and types, which could potentially allow
an authenticated
user to perform client-side script execution within
ACEManager, altering
the device functionality until the device is
restarted.
|
|||||
| CVE-2023-40367 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-11-21 | N/A | 5.4 MEDIUM |
|
IBM QRadar SIEM 7.5.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 263376.
|
|||||
| CVE-2023-40350 | 1 Jenkins | 1 Docker Swarm | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control responses from Docker.
|
|||||
| CVE-2023-40346 | 1 Jenkins | 1 Shortcut Job | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Jenkins Shortcut Job Plugin 0.4 and earlier does not escape the shortcut redirection URL, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure shortcut jobs.
|
|||||
| CVE-2023-40342 | 1 Jenkins | 1 Flaky Test Handler | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Jenkins Flaky Test Handler Plugin 1.2.2 and earlier does not escape JUnit test contents when showing them on the Jenkins UI, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control JUnit report file contents.
|
|||||
| CVE-2023-40333 | 1 Qodeinteractive | 1 Bridge Core | 2024-11-21 | N/A | 7.1 HIGH |
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Qode Interactive Bridge Core plugin <= 3.0.9 versions.
|
|||||
| CVE-2023-40330 | 1 Dev4press | 1 Gd Security Headers | 2024-11-21 | N/A | 7.1 HIGH |
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Milan Petrovic GD Security Headers plugin <= 1.6.1 versions.
|
|||||
| CVE-2023-40329 | 1 Wpzest | 1 Custom Admin Login Page \| Wpzest Plugin | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPZest Custom Admin Login Page | WPZest plugin <= 1.2.0 versions.
|
|||||
| CVE-2023-40328 | 1 Carrrot | 1 Carrrot | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Carrrot plugin <= 1.1.0 versions.
|
|||||
| CVE-2023-40314 | 1 Opennms | 2 Horizon, Meridian | 2024-11-21 | N/A | 5.8 MEDIUM |
|
Cross-site scripting in bootstrap.jsp in multiple versions of OpenNMS Meridian and Horizon allows an attacker access to confidential session information. The solution is to upgrade to Horizon 32.0.5 or newer and Meridian 2023.1.9 or newer
Meridian
and Horizon installation instructions state that they are intended for
installation within an organization's private networks and should not be
directly accessible from the Internet.
OpenNMS thanks
Moshe Apelbaum
for reporting this i ...
Show More |
|||||
| CVE-2023-40312 | 1 Opennms | 2 Horizon, Meridian | 2024-11-21 | N/A | 6.7 MEDIUM |
|
Multiple reflected XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that an attacker can modify to craft a malicious XSS payload. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly a ...
Show More |
|||||
| CVE-2023-40311 | 1 Opennms | 2 Horizon, Meridian | 2024-11-21 | N/A | 6.7 MEDIUM |
|
Multiple stored XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that allow an attacker to store on database and then load on JSPs or Angular templates. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30, 2020.1.38 or Horizon 32.0.2 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and s ...
Show More |
|||||
| CVE-2023-40281 | 1 Ec-cube | 1 Ec-cube | 2024-11-21 | N/A | 4.8 MEDIUM |
|
EC-CUBE 2.11.0 to 2.17.2-p1 contain a cross-site scripting vulnerability in "mail/template" and "products/product" of Management page.
If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the other administrator or the user who accessed the website using the product.
|
|||||
| CVE-2023-40224 | 1 Misp | 1 Misp | 2024-11-21 | N/A | 6.1 MEDIUM |
|
MISP 2.4.174 allows XSS in app/View/Events/index.ctp.
|
|||||
| CVE-2023-40214 | 1 Bestdivichild | 1 Business Pro | 2024-11-21 | N/A | 7.1 HIGH |
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Vathemes Business Pro theme <= 1.10.4 versions.
|
|||||
| CVE-2023-40208 | 1 Urosevic | 1 Stock Ticker | 2024-11-21 | N/A | 7.1 HIGH |
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Aleksandar Urošević Stock Ticker plugin <= 3.23.3 versions.
|
|||||
| CVE-2023-40206 | 1 Hwk | 1 Wp 404 Auto Redirect To Similar Post | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in hwk-fr WP 404 Auto Redirect to Similar Post plugin <= 1.0.3 versions.
|
|||||
| CVE-2023-40205 | 1 Pixelgrade | 1 Pixtypes | 2024-11-21 | N/A | 7.1 HIGH |
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Pixelgrade PixTypes plugin <= 1.4.15 versions.
|
|||||
| CVE-2023-40197 | 1 Flowpaper | 1 Flowpaper | 2024-11-21 | N/A | 6.5 MEDIUM |
|
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Devaldi Ltd flowpaper plugin <= 1.9.9 versions.
|
|||||
| CVE-2023-40196 | 1 Imagerecycle | 1 Imagerecycle Pdf \& Image Compression | 2024-11-21 | N/A | 7.1 HIGH |
|
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ImageRecycle ImageRecycle pdf & image compression plugin <= 3.1.11 versions.
|
|||||
| CVE-2023-40176 | 1 Xwiki | 1 Xwiki | 2024-11-21 | N/A | 9.0 CRITICAL |
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can exploit a stored XSS through their user profile by setting the payload as the value of the time zone user preference. Even though the time zone is selected from a drop down (no free text value) it can still be set from JavaScript (using the browser developer tools) or by calling the save URL on the user profile with the right query string. Once the time zone is set it ...
Show More |
|||||
| CVE-2023-40170 | 1 Jupyter | 1 Jupyter Server | 2024-11-21 | N/A | 4.6 MEDIUM |
|
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHan ...
Show More |
|||||
| CVE-2023-40153 | 1 Dexma | 1 Dexgate | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The affected product is vulnerable to a cross-site scripting vulnerability, which could allow an attacker to access the web application to introduce arbitrary Java Script by injecting an XSS payload into the 'hostname' parameter of the vulnerable software.
|
|||||
| CVE-2023-40143 | 1 Westermo | 2 L206-f2g, L206-f2g Firmware | 2024-11-21 | N/A | 5.4 MEDIUM |
|
An attacker with access to the Westermo Lynx web application that has the vulnerable software could introduce arbitrary JavaScript by injecting a cross-site scripting payload into the "forward.0.domain" parameter.
|
|||||
| CVE-2023-40068 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege.
|
|||||