Total
45116 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5626 | 1 Data443 | 1 Inline Related Posts | 2024-11-21 | 6.1 Medium |
| The Inline Related Posts WordPress plugin before 3.7.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-5478 | 1 Lunary | 1 Lunary | 2024-11-21 | 6.1 Medium |
| A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before incorporating it into the generated response. Specifically, the endpoint generates XML responses for SAML metadata, where the `orgId` parameter is directly embedded into the XML structure without proper sanitization or validation. This flaw allows an attacker to inject arbitrary JavaScript code into the generated SAML metadata page, leading to potential theft of user cookies or authentication tokens. | ||||
| CVE-2024-5448 | 1 Mohsinrasool | 1 Paypal Pay Now\, Buy Now\, Donation And Cart Buttons Shortcode | 2024-11-21 | 5.4 Medium |
| The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-5447 | 1 Mohsinrasool | 1 Paypal Pay Now\, Buy Now\, Donation And Cart Buttons Shortcode | 2024-11-21 | 4.8 Medium |
| The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-5199 | 1 Wolfiezero | 1 Spotify Play Button | 2024-11-21 | 6.1 Medium |
| The Spotify Play Button WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-5172 | 1 Expert Invoice Project | 1 Expert Invoice | 2024-11-21 | 4.8 Medium |
| The Expert Invoice WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-5169 | 1 Nikodev | 1 Video Widget | 2024-11-21 | 4.8 Medium |
| The Video Widget WordPress plugin through 1.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-5062 | 1 Zenml | 1 Zenml | 2024-11-21 | 6.1 Medium |
| A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a specified URL after completing a survey, without proper validation of the 'redirect' parameter. Consequently, an attacker can execute arbitrary JavaScript code in the context of the user's browser session. This vulnerability could be exploited to steal cookies, potentially leading to account takeover. | ||||
| CVE-2024-5058 | 1 Wpdeveloper | 1 Typing Text | 2024-11-21 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper Typing Text allows Stored XSS.This issue affects Typing Text: from n/a through 1.2.5. | ||||
| CVE-2024-5004 | 1 Cminds | 1 Cm Popup | 2024-11-21 | 4.8 Medium |
| The CM Popup Plugin for WordPress WordPress plugin before 1.6.6 does not sanitise and escape some of the campaign settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-51486 | 1 Ampache | 1 Ampache | 2024-11-21 | 5.5 Medium |
| Ampache is a web based audio/video streaming application and file manager. The vulnerability exists in the interface section of the Ampache menu, where users can change the "Custom URL - Favicon". This section is not properly sanitized, allowing for the input of strings that can execute JavaScript. This issue has been addressed in version 7.0.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-51032 | 2 Oretnom23, Toll Tax Management System Project | 2 Toll Tax Management System, Toll Tax Management System | 2024-11-21 | 5.4 Medium |
| A Cross-site Scripting (XSS) vulnerability in manage_recipient.php of Sourcecodester Toll Tax Management System 1.0 allows remote authenticated users to inject arbitrary web scripts via the "owner" input field. | ||||
| CVE-2024-51031 | 2 Cab Management System Project, Oretnom23 | 2 Cab Management System, Cab Management System | 2024-11-21 | 5.4 Medium |
| A Cross-site Scripting (XSS) vulnerability in manage_account.php in Sourcecodester Cab Management System 1.0 allows remote authenticated users to inject arbitrary web scripts via the "First Name," "Middle Name," and "Last Name" fields. | ||||
| CVE-2024-50969 | 2 Anisha, Code-projects | 2 Jonnys Liquor, Jonnys Liquor | 2024-11-21 | 6.1 Medium |
| A Reflected cross-site scripting (XSS) vulnerability in browse.php of Code-projects Jonnys Liquor 1.0 allows remote attackers to inject arbitrary web scripts or HTML via the search parameter. | ||||
| CVE-2024-50655 | 1 Emlog | 1 Emlog | 2024-11-21 | 6.1 Medium |
| emlog pro <=2.3.18 is vulnerable to Cross Site Scripting (XSS), which allows attackers to write malicious JavaScript code in published articles. | ||||
| CVE-2024-4901 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 8.7 High |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes. | ||||
| CVE-2024-4755 | 1 Erikeng | 1 Google Cse | 2024-11-21 | 4.8 Medium |
| The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-4753 | 1 Wpexperts | 1 Wp Secure Maintenance | 2024-11-21 | 5.9 Medium |
| The WP Secure Maintenance WordPress plugin before 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-4664 | 1 Ninjateam | 1 Wp Chat App | 2024-11-21 | 4.8 Medium |
| The WP Chat App WordPress plugin before 3.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | ||||
| CVE-2024-4655 | 1 Dotcamp | 1 Ultimate Blocks | 2024-11-21 | 5.4 Medium |
| The Ultimate Blocks WordPress plugin before 3.1.9 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||