Total
36870 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-48396 | 2024-10-30 | N/A | 6.1 MEDIUM | ||
| AIML Chatbot 1.0 (fixed in 2.0) is vulnerable to Cross Site Scripting (XSS). The vulnerability is exploited through the message input field, where attackers can inject malicious HTML or JavaScript code. The chatbot fails to sanitize these inputs, leading to the execution of malicious scripts. | |||||
| CVE-2024-42550 | 2024-10-30 | N/A | 5.4 MEDIUM | ||
| A cross-site scripting (XSS) vulnerability in the component /email/welcome.php of Mini Inventory and Sales Management System commit 18aa3d allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter. | |||||
| CVE-2024-45714 | 1 Solarwinds | 1 Serv-u | 2024-10-30 | N/A | 4.1 MEDIUM |
| Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users’ permissions can modify a variable with a payload. | |||||
| CVE-2024-49268 | 1 Sunburntkamel | 1 Disconnected | 2024-10-30 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in sunburntkamel disconnected allows Reflected XSS.This issue affects disconnected: from n/a through 1.3.0. | |||||
| CVE-2024-49265 | 1 Booking | 1 Banner Creator | 2024-10-30 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Partnerships at Booking.Com Booking.Com Banner Creator allows Stored XSS.This issue affects Booking.Com Banner Creator: from n/a through 1.4.6. | |||||
| CVE-2024-49211 | 1 Archerirm | 1 Archer | 2024-10-30 | N/A | 6.1 MEDIUM |
| Reflected XSS was discovered in a Dashboard Listing Archer Platform UX page in Archer Platform 6.x before version 2024.08. A remote unauthenticated attacker could potentially exploit this by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web application; the malicious code is then reflected back to the victim and executed by the web browser in the context of the vulnerable web application. | |||||
| CVE-2024-49210 | 1 Archerirm | 1 Archer | 2024-10-30 | N/A | 6.1 MEDIUM |
| Reflected XSS was discovered in an iView List Archer Platform UX page in Archer Platform 6.x before version 2024.09. A remote unauthenticated attacker could potentially exploit this by tricking a victim application user into supplying malicious HTML or JavaScript code to the vulnerable web application; the malicious code is then reflected back to the victim and executed by the web browser in the context of the vulnerable web application. | |||||
| CVE-2024-48233 | 2024-10-30 | N/A | 4.8 MEDIUM | ||
| mipjz 5.0.5 is vulnerable to Cross Site Scripting (XSS) in \app\setting\controller\ApiAdminSetting.php via the ICP parameter. | |||||
| CVE-2024-9231 | 1 Butlerblog | 1 Wp-members | 2024-10-30 | N/A | 6.1 MEDIUM |
| The WP-Members Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.9.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-10433 | 1 Projectworlds | 1 Simple Web-based Chat Application | 2024-10-30 | 4.0 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Project Worlds Simple Web-Based Chat Application 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument Name/Comment leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions different parameters to be affected which do not correlate with the screenshots of a successful attack. | |||||
| CVE-2024-47063 | 1 Cvat | 1 Computer Vision Annotation Tool | 2024-10-30 | N/A | 6.1 MEDIUM |
| Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If a malicious CVAT user with permissions to either create a task, or edit an existing task can trick another logged-in user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this issue. | |||||
| CVE-2024-47064 | 1 Cvat | 1 Computer Vision Annotation Tool | 2024-10-30 | N/A | 6.1 MEDIUM |
| Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this issue. | |||||
| CVE-2024-47878 | 1 Openrefine | 1 Openrefine | 2024-10-30 | N/A | 6.1 MEDIUM |
| OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint includes the `state` GET parameter verbatim in a `<script>` tag in the output, so without escaping. An attacker could lead or redirect a user to a crafted URL containing JavaScript code, which would then cause that code to be executed in the victim's browser as if it was part of OpenRefine. Version 3.8.3 fixes this issue. | |||||
| CVE-2024-47880 | 1 Openrefine | 1 Openrefine | 2024-10-30 | N/A | 6.9 MEDIUM |
| OpenRefine is a free, open source tool for working with messy data. Prior to version 3.8.3, the `export-rows` command can be used in such a way that it reflects part of the request verbatim, with a Content-Type header also taken from the request. An attacker could lead a user to a malicious page that submits a form POST that contains embedded JavaScript code. This code would then be included in the response, along with an attacker-controlled `Content-Type` header, and so potentially executed in the victim's browser as if it was part of OpenRefine. The attacker-provided code can do anything the user can do, including deleting projects, retrieving database passwords, or executing arbitrary Jython or Closure expressions, if those extensions are also present. The attacker must know a valid project ID of a project that contains at least one row. Version 3.8.3 fixes the issue. | |||||
| CVE-2022-4971 | 1 Heateor | 1 Sassy Social Share | 2024-10-30 | N/A | 6.1 MEDIUM |
| The Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'urls' parameter called via the 'heateor_sss_sharing_count' AJAX action in versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2022-4973 | 1 Wordpress | 1 Wordpress | 2024-10-30 | N/A | 5.4 MEDIUM |
| WordPress Core, in versions up to 6.0.2, is vulnerable to Authenticated Stored Cross-Site Scripting that can be exploited by users with access to the WordPress post and page editor, typically consisting of Authors, Contributors, and Editors making it possible to inject arbitrary web scripts into posts and pages that execute if the the_meta(); function is called on that page. | |||||
| CVE-2024-48119 | 1 Vtiger | 1 Vtiger Crm | 2024-10-30 | N/A | 5.4 MEDIUM |
| Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML. | |||||
| CVE-2024-10348 | 1 Mayurik | 1 Best House Rental Management System | 2024-10-30 | 4.0 MEDIUM | 5.4 MEDIUM |
| A vulnerability was found in SourceCodester Best House Rental Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?page=tenants of the component Manage Tenant Details. The manipulation of the argument Last Name/First Name/Middle Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only shows the field "Last Name" to be affected. Other fields might be affected as well. | |||||
| CVE-2024-48448 | 2024-10-29 | N/A | 6.1 MEDIUM | ||
| An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into the tracker comments page. | |||||
| CVE-2024-41519 | 1 Mecodia | 1 Feripro | 2024-10-29 | N/A | 5.4 MEDIUM |
| Feripro <= v2.2.3 is vulnerable to Cross Site Scripting (XSS) via "/admin/programm/<program_id>/zuordnung/veranstaltungen/<event_id>" through the "school" input field. | |||||