Total
366 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-6052 | 1 Checkmk | 1 Checkmk | 2024-11-21 | N/A | 6.5 MEDIUM |
| Stored XSS in Checkmk before versions 2.3.0p8, 2.2.0p29, 2.1.0p45, and 2.0.0 (EOL) allows users to execute arbitrary scripts by injecting HTML elements | |||||
| CVE-2024-5741 | 1 Checkmk | 1 Checkmk | 2024-11-21 | N/A | 6.5 MEDIUM |
| Stored XSS in inventory tree rendering in Checkmk before 2.3.0p7, 2.2.0p28, 2.1.0p45 and 2.0.0 (EOL) | |||||
| CVE-2024-37732 | 1 Anchorcms | 1 Anchor Cms | 2024-11-21 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability in Anchor CMS v.0.12.7 allows a remote attacker to execute arbitrary code via a crafted .pdf file. | |||||
| CVE-2024-37297 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | N/A | 5.4 MEDIUM |
| WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature. | |||||
| CVE-2024-37156 | 1 Sulu | 1 Suluformbundle | 2024-11-21 | N/A | 6.1 MEDIUM |
| The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3. | |||||
| CVE-2024-36395 | 1 Verint | 1 Workforce Optimization | 2024-11-21 | N/A | 6.1 MEDIUM |
| Verint - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | |||||
| CVE-2024-32464 | 1 Rubyonrails | 1 Rails | 2024-11-21 | N/A | 6.1 MEDIUM |
| Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2. | |||||
| CVE-2024-25639 | 1 Khoj | 1 Khoj | 2024-11-21 | N/A | 5.9 MEDIUM |
| Khoj is an application that creates personal AI agents. The Khoj Obsidian, Desktop and Web clients inadequately sanitize the AI model's response and user inputs. This can trigger Cross Site Scripting (XSS) via Prompt Injection from untrusted documents either indexed by the user on Khoj or read by Khoj from the internet when the user invokes the /online command. This vulnerability is fixed in 1.13.0. | |||||
| CVE-2024-24574 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | N/A | 6.5 MEDIUM |
| phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). This vulnerability has been patched in version 3.2.5. | |||||
| CVE-2024-24571 | 1 Facilemanager | 1 Facilemanager | 2024-11-21 | N/A | 5.4 MEDIUM |
| facileManager is a modular suite of web apps built with the sysadmin in mind. For the facileManager web application versions 4.5.0 and earlier, we have found that XSS was present in almost all of the input fields as there is insufficient input validation. | |||||
| CVE-2024-23841 | 1 Apollographql | 1 Apollo Client | 2024-11-21 | N/A | 8.2 HIGH |
| apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input (e.g. by redirecting a user to a specifically-crafted link) or arrange to have malicious input be returned by a GraphQL server (e.g. by persisting it in a database). To fix this issue, please update to version 0.7.0 or later. | |||||
| CVE-2024-0183 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-11-21 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/students.php of the component NIA Office. The manipulation leads to basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249441 was assigned to this vulnerability. | |||||
| CVE-2023-5582 | 1 Zzzcms | 1 Zzzcms | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability, which was classified as problematic, has been found in ZZZCMS 2.2.0. This issue affects some unknown processing of the component Personal Profile Page. The manipulation leads to basic cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-242147. | |||||
| CVE-2023-44393 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A | 9.3 CRITICAL |
| Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue. | |||||
| CVE-2023-42458 | 1 Zope | 1 Zope | 2024-11-21 | N/A | 3.7 LOW |
| Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission. | |||||
| CVE-2023-3017 | 1 Oretnom23 | 1 Lost And Found Information System | 2024-11-21 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in SourceCodester Lost and Found Information System 1.0. It has been classified as problematic. This affects an unknown part of the file admin/?page=user/manage_user of the component Manage User Page. The manipulation of the argument First Name/Middle Name/Last Name leads to basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-230361 was assigned to this vulnerability. | |||||
| CVE-2023-39217 | 1 Zoom | 2 Meeting Software Development Kit, Video Software Development Kit | 2024-11-21 | N/A | 5.3 MEDIUM |
| Improper input validation in Zoom SDK’s before 5.14.10 may allow an unauthenticated user to enable a denial of service via network access. | |||||
| CVE-2023-39216 | 1 Zoom | 1 Zoom | 2024-11-21 | N/A | 9.6 CRITICAL |
| Improper input validation in Zoom Desktop Client for Windows before 5.14.7 may allow an unauthenticated user to enable an escalation of privilege via network access. | |||||
| CVE-2023-2981 | 1 Abstrium | 1 Pydio Cells | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability, which was classified as problematic, has been found in Abstrium Pydio Cells 4.2.0. This issue affects some unknown processing of the component Chat. The manipulation leads to basic cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-230213 was assigned to this vulnerability. | |||||
| CVE-2023-26047 | 1 Kitabisa | 1 Teler-waf | 2024-11-21 | N/A | 6.5 MEDIUM |
| teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version v0.2.0 is vulnerable to a bypass attack when a specific case-sensitive hex entities payload with special characters such as CR/LF and horizontal tab is used. This vulnerability allows an attacker to execute arbitrary JavaScript code on the victim's browser and compromise the security of the web application. An attacker can exploit this vulnerability to bypass common web attack threat rules in teler-waf and launch cross-site scripting (XSS) attacks. The attacker can execute arbitrary JavaScript code on the victim's browser and steal sensitive information, such as login credentials and session tokens, or take control of the victim's browser and perform malicious actions. This issue has been patched in version 0.2.0. | |||||