Total
45240 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-7398 | 1 Concretecms | 1 Concrete Cms | 2025-01-21 | 5.4 Medium |
| Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Thank you, Yusuke Uchida for reporting. CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC) | ||||
| CVE-2024-8291 | 1 Concretecms | 1 Concrete Cms | 2025-01-17 | 4.8 Medium |
| Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 5.1 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, Alexey Solovyev for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC). | ||||
| CVE-2024-4353 | 1 Concretecms | 1 Concrete Cms | 2025-01-17 | 4.8 Medium |
| Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v4 score of 4.6 with a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Concrete versions below 9 are not affected by this vulnerability.Thanks fhAnso for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC). | ||||
| CVE-2024-7512 | 1 Concretecms | 1 Concrete Cms | 2025-01-17 | 4.8 Medium |
| Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.6 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Versions below 9 are not affected. Thanks, m3dium for reporting. (CNA updated AC score to L based on CVSS 4.0 documentation) | ||||
| CVE-2023-28367 | 1 Vektor-inc | 1 Vk All In One Expansion Unit | 2025-01-17 | 5.4 Medium |
| Cross-site scripting vulnerability in CTA post function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script. | ||||
| CVE-2023-27926 | 1 Vektor-inc | 1 Vk All In One Expansion Unit | 2025-01-17 | 5.4 Medium |
| Cross-site scripting vulnerability in Profile setting function of VK All in One Expansion Unit 9.88.1.0 and earlier allows a remote authenticated attacker to inject an arbitrary script. | ||||
| CVE-2023-27925 | 1 Vektor-inc | 1 Vk Blocks | 2025-01-17 | 5.4 Medium |
| Cross-site scripting vulnerability in Post function of VK Blocks 1.53.0.1 and earlier and VK Blocks Pro 1.53.0.1 and earlier allows a remote authenticated attacker to inject an arbitrary script. | ||||
| CVE-2023-27923 | 1 Vektor-inc | 1 Vk Blocks | 2025-01-17 | 5.4 Medium |
| Cross-site scripting vulnerability in Tag edit function of VK Blocks 1.53.0.1 and earlier and VK Blocks Pro 1.53.0.1 and earlier allows a remote authenticated attacker to inject an arbitrary script. | ||||
| CVE-2023-28655 | 1 Sauter-controls | 2 Ey-as525f001, Ey-as525f001 Firmware | 2025-01-17 | 5.4 Medium |
| A malicious user could leverage this vulnerability to escalate privileges or perform unauthorized actions in the context of the targeted privileged users. | ||||
| CVE-2023-28650 | 1 Sauter-controls | 2 Ey-as525f001, Ey-as525f001 Firmware | 2025-01-17 | 6.1 Medium |
| An unauthenticated remote attacker could provide a malicious link and trick an unsuspecting user into clicking on it. If clicked, the attacker could execute the malicious JavaScript (JS) payload in the target’s security context. | ||||
| CVE-2023-22300 | 1 Sauter-controls | 2 Ey-as525f001, Ey-as525f001 Firmware | 2025-01-17 | 6.1 Medium |
| An unauthenticated remote attacker could force all authenticated users, such as administrative users, to perform unauthorized actions by viewing the logs. This action would also grant the attacker privilege escalation. | ||||
| CVE-2023-0432 | 1 Deltaww | 2 Dx-2100l1-cn, Dx-2100l1-cn Firmware | 2025-01-17 | 9 Critical |
| The web configuration service of the affected device contains an authenticated command injection vulnerability. It can be used to execute system commands on the operating system (OS) from the device in the context of the user "root." If the attacker has credentials for the web service, then the device could be fully compromised. | ||||
| CVE-2023-27922 | 1 Thenewsletterplugin | 1 Newsletter | 2025-01-17 | 6.1 Medium |
| Cross-site scripting vulnerability in Newsletter versions prior to 7.6.9 allows a remote unauthenticated attacker to inject an arbitrary script. | ||||
| CVE-2023-1209 | 1 Servicenow | 1 Servicenow | 2025-01-17 | 4.3 Medium |
| Cross-Site Scripting (XSS) vulnerabilities exist in ServiceNow records allowing an authenticated attacker to inject arbitrary scripts. | ||||
| CVE-2024-3377 | 1 Oretnom23 | 1 Computer Laboratory Management System | 2025-01-17 | 4.3 Medium |
| A vulnerability classified as problematic was found in SourceCodester Computer Laboratory Management System 1.0. This vulnerability affects unknown code of the file /classes/SystemSettings.php?f=update_settings. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259498 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-31995 | 1 Hanwhavision | 236 Ane-l6012r, Ane-l6012r Firmware, Ane-l7012r and 233 more | 2025-01-17 | 5.4 Medium |
| Hanwha IP Camera ANE-L7012R 1.41.01 is vulnerable to Cross Site Scripting (XSS). | ||||
| CVE-2024-3427 | 1 Argie | 1 Online Courseware | 2025-01-17 | 3.5 Low |
| A vulnerability, which was classified as problematic, was found in SourceCodester Online Courseware 1.0. This affects an unknown part of the file addq.php. The manipulation of the argument id leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259599. | ||||
| CVE-2024-3426 | 1 Argie | 1 Online Courseware | 2025-01-17 | 3.5 Low |
| A vulnerability, which was classified as problematic, has been found in SourceCodester Online Courseware 1.0. Affected by this issue is some unknown functionality of the file editt.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-259598 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-30469 | 2 Hitachi, Linux | 2 Ops Center Analyzer, Linux Kernel | 2025-01-17 | 7.6 High |
| Cross-site Scripting vulnerability in Hitachi Ops Center Analyzer (Hitachi Ops Center Analyzer detail view component) allows Reflected XSS.This issue affects Hitachi Ops Center Analyzer: from 10.9.1-00 before 10.9.2-00. | ||||
| CVE-2023-25598 | 1 Mitel | 1 Mivoice Connect | 2025-01-17 | 6.1 Medium |
| A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2 and 20.x, 21.x, and 22.x through 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the home.php page. A successful exploit could allow an attacker to execute arbitrary scripts. | ||||