Total
45157 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-21485 | 1 Alluxio | 1 Alluxio | 2024-12-09 | 6.1 Medium |
| Cross Site Scripting vulnerability in Alluxio v.1.8.1 allows a remote attacker to executea arbitrary code via the path parameter in the browse board component. | ||||
| CVE-2020-21268 | 1 Easycorp | 1 Zentao | 2024-12-09 | 6.1 Medium |
| Cross Site Scripting vulnerability in EasySoft ZenTao v.11.6.4 allows a remote attacker to execute arbitrary code via the lastComment parameter. | ||||
| CVE-2023-34461 | 1 Pybb Project | 1 Pybb | 2024-12-09 | 4.6 Medium |
| PyBB is an open source bulletin board. A manual code review of the PyBB bulletin board server has revealed that a vulnerability could have been exploited in which users could submit any type of HTML tag, and have said tag run. For example, a malicious `<a>` that looks like ```<a href=javascript:alert (1)>xss</a>``` could have been used to run code through JavaScript on the client side. The problem has been patched as of commit `5defd92`, and users are advised to upgrade. Attackers do need posting privilege in order to exploit this vulnerability. This vulnerability is present within the 0.1.0 release, and users are advised to upgrade to 0.1.1. Users unable to upgrade may be able to work around the attack by either; Removing the ability to create posts, removing the `|safe` tag from the Jinja2 template titled "post.html" in templates or by adding manual validation of links in the post creation section. | ||||
| CVE-2023-32659 | 1 Subnet | 1 Powersystem Center | 2024-12-09 | 6.5 Medium |
| SUBNET PowerSYSTEM Center versions 2020 U10 and prior contain a cross-site scripting vulnerability that may allow an attacker to inject malicious code into report header graphic files that could propagate out of the system and reach users who are subscribed to email notifications. | ||||
| CVE-2024-0011 | 1 Paloaltonetworks | 1 Pan-os | 2024-12-09 | 4.3 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the Captive Portal feature of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript (in the context of an authenticated Captive Portal user’s browser) if a user clicks on a malicious link, allowing phishing attacks that could lead to credential theft. | ||||
| CVE-2022-1002 | 1 Mattermost | 1 Mattermost | 2024-12-06 | 2 Low |
| Mattermost 6.3.0 and earlier fails to properly sanitize the HTML content in the email invitation sent to guest users, which allows registered users with special permissions to invite guest users to inject unescaped HTML content in the email invitations. | ||||
| CVE-2023-1421 | 1 Mattermost | 1 Mattermost Server | 2024-12-06 | 3.5 Low |
| A reflected cross-site scripting vulnerability in the OAuth flow completion endpoints in Mattermost allows an attacker to send AJAX requests on behalf of the victim via sharing a crafted link with a malicious state parameter. | ||||
| CVE-2023-1776 | 1 Mattermost | 1 Mattermost Server | 2024-12-06 | 7.3 High |
| Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file. | ||||
| CVE-2024-38503 | 1 Apache | 1 Syncope | 2024-12-06 | 3.9 Low |
| When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to version 3.0.8, which fixes this issue. | ||||
| CVE-2024-37476 | 1 Automattic | 1 Newspack Popups | 2024-12-06 | 6.5 Medium |
| Cross Site Scripting (XSS) vulnerability in Automattic Newspack Campaigns allows Stored XSS.This issue affects Newspack Campaigns: from n/a through 2.31.1. | ||||
| CVE-2024-1834 | 1 Oretnom23 | 1 Simple Student Attendance System | 2024-12-06 | 3.5 Low |
| A vulnerability was found in SourceCodester Simple Student Attendance System 1.0. It has been classified as problematic. This affects an unknown part of the file ?page=attendance&class_id=1. The manipulation of the argument class_date with the input 2024-02-23%22%3E%3Cscript%3Ealert(1)%3C/script%3E leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254625 was assigned to this vulnerability. | ||||
| CVE-2024-1822 | 1 Phpgurukul | 1 Tourism Management System | 2024-12-06 | 2.4 Low |
| A vulnerability classified as problematic has been found in PHPGurukul Tourism Management System 1.0. Affected is an unknown function of the file user-bookings.php. The manipulation of the argument Full Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-254610 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-29707 | 1 Gbcom | 1 Lac Web Control Center | 2024-12-06 | 4.8 Medium |
| Cross Site Scripting (XSS) vulnerability in GBCOM LAC WEB Control Center version lac-1.3.x, allows attackers to create an arbitrary device. | ||||
| CVE-2023-30347 | 1 Stl | 1 Neox Dial Centre | 2024-12-06 | 4.8 Medium |
| Cross Site Scripting (XSS) vulnerability in Neox Contact Center 2.3.9, via the serach_sms_api_name parameter to the SMA API search. | ||||
| CVE-2023-33725 | 1 Broadleafcommerce | 1 Broadleaf Commerce | 2024-12-06 | 6.1 Medium |
| Broadleaf 5.x and 6.x (including 5.2.25-GA and 6.2.6-GA) was discovered to contain a cross-site scripting (XSS) vulnerability via a customer signup with a crafted email address. This is fixed in 6.2.6.1-GA. | ||||
| CVE-2023-33591 | 1 User Registration \& Login And User Management System Project | 1 User Registration \& Login And User Management System | 2024-12-06 | 6.1 Medium |
| User Registration & Login and User Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/search-result.php. | ||||
| CVE-2023-31868 | 1 Sage | 1 X3 | 2024-12-06 | 5.4 Medium |
| Sage X3 version 12.14.0.50-0 is vulnerable to Cross Site Scripting (XSS). Some parts of the Web application are dynamically built using user's inputs. Yet, those inputs are not verified nor filtered by the application, so they mathed the expected format. Therefore, when HTML/JavaScript code is injected into those fields, this code will be saved by the application and executed by the web browser of the user viewing the web page. Several injection points have been identified on the application. The major one requires the user to be authenticated with a common account, he can then target an Administrator. All others endpoints need the malicious user to be authenticated as an Administrator. Therefore, the impact is diminished. | ||||
| CVE-2023-33387 | 1 Datev | 1 Eg Personal-management System Comfort\/comfort Plus | 2024-12-06 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability in DATEV eG Personal-Management System Comfort/Comfort Plus v15.1.0 to v16.1.1 P4 allows attackers to steal targeted users' login data by sending a crafted link. | ||||
| CVE-2023-28800 | 1 Zscaler | 1 Client Connector | 2024-12-06 | 8.1 High |
| When using local accounts for administration, the redirect url parameter was not encoded correctly, allowing for an XSS attack providing admin login. | ||||
| CVE-2024-1825 | 1 Codeastro | 1 House Rental Management System | 2024-12-06 | 4.3 Medium |
| A vulnerability, which was classified as problematic, was found in CodeAstro House Rental Management System 1.0. This affects an unknown part of the component User Registration Page. The manipulation of the argument address with the input <img src="1" onerror="console.log(1)"> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254613 was assigned to this vulnerability. | ||||