Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-37533 | 1 Hcltech | 1 Connections | 2024-11-21 | N/A | 5.4 MEDIUM |
|
HCL Connections is vulnerable to reflected cross-site scripting (XSS) where an attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user after visiting the vulnerable URL which contains the malicious script code. This may allow the attacker to steal cookie-based authentication credentials and comprise a user's account then launch other attacks.
|
|||||
| CVE-2023-37520 | 1 Hcltech | 1 Bigfix Platform | 2024-11-21 | N/A | 7.7 HIGH |
|
Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9.5.12.68, allowing for potential data exfiltration. This XSS vulnerability is in the Gather Status Report, which is served by the BigFix Relay.
|
|||||
| CVE-2023-37501 | 1 Hcltech | 1 Unica | 2024-11-21 | N/A | 8.1 HIGH |
|
A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign. An attacker could hijack a user's session and perform other attacks.
|
|||||
| CVE-2023-37500 | 1 Hcltech | 1 Unica | 2024-11-21 | N/A | 8.1 HIGH |
|
A Persistent Cross-site Scripting (XSS) vulnerability can be carried out on certain pages of Unica Platform. An attacker could hijack a user's session and perform other attacks.
|
|||||
| CVE-2023-37499 | 1 Hcltech | 1 Unica | 2024-11-21 | N/A | 8.1 HIGH |
|
A Persistent Cross-site Scripting (XSS) vulnerability can be carried out in a certain field of the Unica Platform. An attacker could hijack a user's session and perform other attacks.
|
|||||
| CVE-2023-37496 | 1 Hcltech | 1 Verse | 2024-11-21 | N/A | 8.3 HIGH |
|
HCL Verse is susceptible to a Stored Cross Site Scripting (XSS) vulnerability. An attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information.
|
|||||
| CVE-2023-37488 | 1 Sap | 1 Netweaver Process Integration | 2024-11-21 | N/A | 6.1 MEDIUM |
|
In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack. On successful exploitation the attacker can cause limited impact on confidentiality and integrity of the system.
|
|||||
| CVE-2023-37467 | 1 Discourse | 1 Discourse | 2024-11-21 | N/A | 6.8 MEDIUM |
|
Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous (i.e. unauthenticated) users. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to bypass CSP and execute successfully. This vulnerability isn't app ...
Show More |
|||||
| CVE-2023-37439 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to
obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.
|
|||||
| CVE-2023-37425 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | N/A | 8.0 HIGH |
|
A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
|
|||||
| CVE-2023-37423 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | N/A | 8.1 HIGH |
|
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
|
|||||
| CVE-2023-37422 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | N/A | 8.1 HIGH |
|
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
|
|||||
| CVE-2023-37421 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | N/A | 8.1 HIGH |
|
Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
|
|||||
| CVE-2023-37393 | 1 Atarim | 1 Atarim | 2024-11-21 | N/A | 7.1 HIGH |
|
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Atarim Visual Website Collaboration, Feedback & Project Management – Atarim plugin <= 3.9.3 versions.
|
|||||
| CVE-2023-37388 | 1 Supito | 1 Mahato Simple Light Weight Social Share | 2024-11-21 | N/A | 5.9 MEDIUM |
|
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Sudipto Pratap Mahato Simple Light Weight Social Share plugin <= 2.0 versions.
|
|||||
| CVE-2023-37308 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.
|
|||||
| CVE-2023-37307 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-11-21 | N/A | 5.4 MEDIUM |
|
In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts.
|
|||||
| CVE-2023-37304 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | N/A | 5.4 MEDIUM |
|
An issue was discovered in the DoubleWiki extension for MediaWiki through 1.39.3. includes/DoubleWiki.php allows XSS via the column alignment feature.
|
|||||
| CVE-2023-37302 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | N/A | 6.1 MEDIUM |
|
An issue was discovered in SiteLinksView.php in Wikibase in MediaWiki through 1.39.3. There is XSS via a crafted badge title attribute. This is also related to lack of escaping in wbTemplate (from resources/wikibase/templates.js) for quotes (which can be in a title attribute).
|
|||||
| CVE-2023-37299 | 1 Joplin Project | 1 Joplin | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Joplin before 2.11.5 allows XSS via an AREA element of an image map.
|
|||||
| CVE-2023-37298 | 1 Joplin Project | 1 Joplin | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Joplin before 2.11.5 allows XSS via a USE element in an SVG document.
|
|||||
| CVE-2023-37280 | 1 Pimcore | 1 Admin Classic Bundle | 2024-11-21 | N/A | 5.0 MEDIUM |
|
Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This vulnerability has been patched in version 1.0.3.
|
|||||
| CVE-2023-37272 | 1 Sos-berlin | 1 Jobscheduler | 2024-11-21 | N/A | 6.3 MEDIUM |
|
JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch 1.13 of JobScheduler (JS1). The vulnerability does not affect branch 2.x of JobScheduler (JS7) for releases after 2.1.0. The vulnerability is resolved with release 1.13.19.
|
|||||
| CVE-2023-37269 | 1 Wintercms | 1 Winter | 2024-11-21 | N/A | 2.0 LOW |
|
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and co ...
Show More |
|||||
| CVE-2023-37259 | 1 Matrix-react-sdk Project | 1 Matrix-react-sdk | 2024-11-21 | N/A | 6.1 MEDIUM |
|
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting (XSS). Since the Export Chat feature generates a separate document, an attacker can only inject code run from the `null` origin, restricting the impact. However, the attacker can still potentially use the XSS to leak message contents. A mali ...
Show More |
|||||
| CVE-2023-37257 | 1 Dataease | 1 Dataease | 2024-11-21 | N/A | 5.4 MEDIUM |
|
DataEase is an open source data visualization analysis tool. Prior to version 1.18.9, the DataEase panel and dataset have a stored cross-site scripting vulnerability. The vulnerability has been fixed in v1.18.9. There are no known workarounds.
|
|||||
| CVE-2023-37255 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | N/A | 6.1 MEDIUM |
|
An issue was discovered in the CheckUser extension for MediaWiki through 1.39.3. In Special:CheckUser, a check of the "get edits" type is vulnerable to HTML injection through the User-Agent HTTP request header.
|
|||||
| CVE-2023-37254 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | N/A | 6.1 MEDIUM |
|
An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. XSS can occur in Special:CargoQuery via a crafted page item when using the default format.
|
|||||
| CVE-2023-37251 | 1 Mediawiki | 1 Mediawiki | 2024-11-21 | N/A | 6.1 MEDIUM |
|
An issue was discovered in the GoogleAnalyticsMetrics extension for MediaWiki through 1.39.3. The googleanalyticstrackurl parser function does not properly escape JavaScript in the onclick handler and does not prevent use of javascript: URLs.
|
|||||
| CVE-2023-37225 | 1 Pexip | 1 Pexip Infinity | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Pexip Infinity before 32 allows Webapp1 XSS via preconfigured links.
|
|||||
| CVE-2023-37223 | 1 Archerirm | 1 Archer | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in Archer Platform before v.6.13 and fixed in v.6.12.0.6 and v.6.13.0 allows a remote authenticated attacker to execute arbitrary code via a crafted malicious script.
|
|||||
| CVE-2023-37222 | 1 Farsight | 1 Provide Server | 2024-11-21 | N/A | 4.8 MEDIUM |
|
Farsight Tech Nordic AB ProVide version 14.5 - Multiple XSS vulnerabilities (CWE-79) can be exploited by a user with administrator privilege.
|
|||||
| CVE-2023-37221 | 1 7-twenty | 1 Bot | 2024-11-21 | N/A | 8.8 HIGH |
|
7Twenty BOT - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
|
|||||
| CVE-2023-37191 | 1 Issabel | 1 Pbx | 2024-11-21 | N/A | 4.8 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Group and Description parameters.
|
|||||
| CVE-2023-37190 | 1 Issabel | 1 Pbx | 2024-11-21 | N/A | 4.8 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in Issabel issabel-pbx v.4.0.0-6 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Virtual Fax Name and Caller ID Name parameters under the New Virtual Fax feature.
|
|||||
| CVE-2023-37189 | 1 Issabel | 1 Pbx | 2024-11-21 | N/A | 4.8 MEDIUM |
|
A stored cross site scripting (XSS) vulnerability in index.php?menu=billing_rates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the Name or Prefix fields under the Create New Rate module.
|
|||||
| CVE-2023-37164 | 1 Diafan | 1 Diafan.cms | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Diafan CMS v6.0 was discovered to contain a reflected cross-site scripting via the cat_id parameter at /shop/?module=shop&action=search.
|
|||||
| CVE-2023-37153 | 1 Kodcloud | 1 Kodexplorer | 2024-11-21 | N/A | 6.1 MEDIUM |
|
KodExplorer 4.51 contains a Cross-Site Scripting (XSS) vulnerability in the Description box of the Light App creation feature. An attacker can exploit this vulnerability by injecting XSS syntax into the Description field.
|
|||||
| CVE-2023-37150 | 1 Online Pizza Ordering System Project | 1 Online Pizza Ordering System | 2024-11-21 | N/A | 6.1 MEDIUM |
|
Sourcecodester Online Pizza Ordering System v1.0 has a Cross-site scripting (XSS) vulnerability in "/admin/index.php?page=categories" Category item.
|
|||||
| CVE-2023-37136 | 1 Eyoucms | 1 Eyoucms | 2024-11-21 | N/A | 5.4 MEDIUM |
|
A stored cross-site scripting (XSS) vulnerability in the Basic Website Information module of eyoucms v1.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||