Total
45263 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3083 | 1 Teampass | 1 Teampass | 2025-02-12 | 8.7 High |
| Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | ||||
| CVE-2023-30627 | 1 Jellyfin | 1 Jellyfin | 2025-02-12 | 9.1 Critical |
| jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds. | ||||
| CVE-2023-2822 | 1 Ellucian | 1 Ethos Identity | 2025-02-12 | 4.3 Medium |
| A vulnerability was found in Ellucian Ethos Identity up to 5.10.5. It has been classified as problematic. Affected is an unknown function of the file /cas/logout. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.10.6 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-229596. | ||||
| CVE-2023-2553 | 1 Bumsys Project | 1 Bumsys | 2025-02-12 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository unilogies/bumsys prior to 2.2.0. | ||||
| CVE-2023-2550 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-02-12 | 4.8 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.13. | ||||
| CVE-2023-1996 | 1 3ds | 1 3dexperience | 2025-02-12 | 6.1 Medium |
| A reflected Cross-site Scripting (XSS) vulnerability in Release 3DEXPERIENCE R2018x through Release 3DEXPERIENCE R2023x allows an attacker to execute arbitrary script code. | ||||
| CVE-2023-1686 | 1 Young Entrepreneur E-negosyo System Project | 1 Young Entrepreneur E-negosyo System | 2025-02-12 | 3.5 Low |
| A vulnerability was found in SourceCodester Young Entrepreneur E-Negosyo System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file bsenordering/admin/category/index.php of the component GET Parameter Handler. The manipulation of the argument view with the input <script>alert(233)</script> leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224243. | ||||
| CVE-2023-25827 | 1 Opentsdb | 1 Opentsdb | 2025-02-12 | 8.2 High |
| Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint. | ||||
| CVE-2023-26290 | 1 Forcepoint | 2 Cloud Security Gateway, Web Security | 2025-02-12 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud (login_reset_request.mhtml modules), Forcepoint Web Security Portal on Hybrid (login_reset_request.mhtml modules) allows Reflected XSS.This issue affects Cloud Security Gateway (CSG): before 03/29/2023; Web Security: before 03/29/2023. | ||||
| CVE-2023-26292 | 1 Forcepoint | 2 Cloud Security Gateway, Web Security | 2025-02-12 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud (login_submit.mhtml modules), Forcepoint Web Security Portal on Hybrid (login_submit.mhtml modules) allows Reflected XSS.This issue affects Cloud Security Gateway (CSG): before 03/29/2023; Web Security: before 03/29/2023. | ||||
| CVE-2023-27489 | 1 Kiwitcms | 1 Kiwi Tcms | 2025-02-12 | 7.6 High |
| Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers. This configuration change is provided in version 12.1 and users are advised to upgrade. Users unable to upgrade may set their Content-Security-Policy HTTP header manually. | ||||
| CVE-2023-25551 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2025-02-12 | 6.1 Medium |
| A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | ||||
| CVE-2022-42452 | 1 Hcltechsw | 1 Hcl Launch | 2025-02-12 | 4.6 Medium |
| HCL Launch is vulnerable to HTML injection. HTML code is stored and included without being sanitized. This can lead to further attacks such as XSS and Open Redirections. | ||||
| CVE-2024-1707 | 1 Garo | 2 Wallbox Glb\+ T2ev7, Wallbox Glb\+ T2ev7 Firmware | 2025-02-12 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in GARO WALLBOX GLB+ T2EV7 0.5. This affects an unknown part of the file /index.jsp#settings of the component Software Update Handler. The manipulation of the argument Reference leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254397 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-1121 | 1 Ibenic | 1 Simple Giveaways | 2025-02-11 | 4.8 Medium |
| The Simple Giveaways WordPress plugin before 2.45.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-0157 | 1 Updraftplus | 1 All-in-one Security | 2025-02-11 | 4.8 Medium |
| The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page. | ||||
| CVE-2024-37944 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-02-11 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Travel Engine allows Stored XSS.This issue affects WP Travel Engine: from n/a through 5.9.1. | ||||
| CVE-2023-1687 | 1 Task Allocation System Project | 1 Task Allocation System | 2025-02-11 | 3.5 Low |
| A vulnerability classified as problematic has been found in SourceCodester Simple Task Allocation System 1.0. Affected is an unknown function of the file LoginRegistration.php?a=register_user. The manipulation of the argument Fullname leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-224244. | ||||
| CVE-2024-9110 | 1 Beyondtrust | 1 Privileged Identity | 2025-02-11 | 6.4 Medium |
| A medium severity vulnerability has been identified within Privileged Identity which can allow an attacker to perform reflected cross-site scripting attacks. | ||||
| CVE-2024-37308 | 1 Boxystudio | 1 Cooked | 2025-02-11 | 5.4 Medium |
| The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0. | ||||