Total
45052 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6422 | 1 Bigprof | 1 Online Clinic Management System | 2024-11-21 | 6.3 Medium |
| A vulnerability has been discovered in BigProf Online Clinic Management System 2.2, which does not sufficiently encode user-controlled input, resulting in persistent XSS through /clinic/patients_view.php, in the FirstRecord parameter. Exploitation of this vulnerability could allow an attacking user to store dangerous JavaScript payloads on the system that will be triggered when the page loads. | ||||
| CVE-2023-6419 | 1 Aatifaneeq | 1 Voovi | 2024-11-21 | 6.5 Medium |
| A vulnerability has been reported in Voovi Social Networking Script version 1.0 that allows a XSS via editprofile.php in multiple parameters, the exploitation of which could allow a remote attacker to send a specially crafted JavaScript payload and partially take over the browser session of an authenticated user. | ||||
| CVE-2023-6379 | 1 Alkacon | 1 Opencms | 2024-11-21 | 5.4 Medium |
| Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to a victim and partially take control of their browsing session. | ||||
| CVE-2023-6367 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 7.6 High |
| In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within Roles. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser. | ||||
| CVE-2023-6365 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 7.6 High |
| In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a device group. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser. | ||||
| CVE-2023-6364 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 7.6 High |
| In WhatsUp Gold versions released before 2023.1, a stored cross-site scripting (XSS) vulnerability has been identified. It is possible for an attacker to craft a XSS payload and store that value within a dashboard component. If a WhatsUp Gold user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victims browser. | ||||
| CVE-2023-6359 | 1 Grupoalumne | 1 Alumne Lms | 2024-11-21 | 5.4 Medium |
| A Cross-Site Scripting (XSS) vulnerability has been found in Alumne LMS affecting version 4.0.0.1.08. An attacker could exploit the 'localidad' parameter to inject a custom JavaScript payload and partially take over another user's browser session, due to the lack of proper sanitisation of the 'localidad' field on the /users/editmy page. | ||||
| CVE-2023-6303 | 1 Cskaza | 1 Cszcms | 2024-11-21 | 2.4 Low |
| A vulnerability was found in CSZCMS 1.3.0. It has been classified as problematic. This affects an unknown part of the file /admin/settings/ of the component Site Settings Page. The manipulation of the argument Additional Meta Tag with the input <svg><animate onbegin=alert(1) attributeName=x dur=1s> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-246129 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-6301 | 1 Mayurik | 1 Best Courier Management System | 2024-11-21 | 3.5 Low |
| A vulnerability has been found in SourceCodester Best Courier Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file parcel_list.php of the component GET Parameter Handler. The manipulation of the argument id with the input </TiTlE><ScRiPt>alert(1)</ScRiPt> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-246127. | ||||
| CVE-2023-6300 | 1 Mayurik | 1 Best Courier Management System | 2024-11-21 | 3.5 Low |
| A vulnerability, which was classified as problematic, was found in SourceCodester Best Courier Management System 1.0. Affected is an unknown function. The manipulation of the argument page with the input </TiTlE><ScRiPt>alert(1)</ScRiPt> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-246126 is the identifier assigned to this vulnerability. | ||||
| CVE-2023-6290 | 1 Seopress | 1 Seopress | 2024-11-21 | 4.8 Medium |
| The SEOPress WordPress plugin before 7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | ||||
| CVE-2023-6282 | 1 Icehrm | 1 Icehrm | 2024-11-21 | 5.4 Medium |
| IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters. An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload and partially hijacking the victim's browser. | ||||
| CVE-2023-6268 | 1 Json-content-importer | 1 Json Content Importer | 2024-11-21 | 6.1 Medium |
| The JSON Content Importer WordPress plugin before 1.5.4 does not sanitise and escape the tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2023-6217 | 1 Progress | 1 Moveit Transfer | 2024-11-21 | 7.1 High |
| In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9), 2022.1.10 (14.1.10), 2023.0.7 (15.0.7), a reflected cross-site scripting (XSS) vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer. An attacker could craft a malicious payload targeting the system which comprises a MOVEit Gateway and MOVEit Transfer deployment. If a MOVEit user interacts with the crafted payload, the attacker would be able to execute malicious JavaScript within the context of the victim’s browser. | ||||
| CVE-2023-6166 | 1 Ays-pro | 1 Quiz Maker | 2024-11-21 | 6.1 Medium |
| The Quiz Maker WordPress plugin before 6.4.9.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting | ||||
| CVE-2023-6146 | 1 Qualys | 1 Private Cloud Platform | 2024-11-21 | 5.7 Medium |
| A Qualys web application was found to have a stored XSS vulnerability resulting from the absence of HTML encoding in the presentation of logging information to users. This vulnerability allowed a user with login access to the application to introduce XSS payload via browser details. | ||||
| CVE-2023-6098 | 1 Icssolution | 1 Ics Business Manager | 2024-11-21 | 6.3 Medium |
| An XSS vulnerability has been discovered in ICS Business Manager affecting version 7.06.0028.7066. A remote attacker could send a specially crafted string exploiting the obdd_act parameter, allowing the attacker to steal an authenticated user's session, and perform actions within the application. | ||||
| CVE-2023-6082 | 1 Chartjs Project | 1 Chartjs | 2024-11-21 | 5.4 Medium |
| The chartjs WordPress plugin through 2023.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-6028 | 1 Br-automation | 1 Automation Runtime | 2024-11-21 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in the SVG version of System Diagnostics Manager of B&R Automation Runtime versions <= G4.93 that enables a remote attacker to execute arbitrary JavaScript code in the context of the attacked user’s browser session. | ||||
| CVE-2023-6027 | 1 Elijaa | 1 Phpmemcachedadmin | 2024-11-21 | 6.1 Medium |
| A critical flaw has been identified in elijaa/phpmemcachedadmin affecting version 1.3.0, specifically related to a stored XSS vulnerability. This vulnerability allows malicious actors to insert a carefully crafted JavaScript payload. The issue arises from improper encoding of user-controlled entries in the "/pmcadmin/configure.php" parameter. | ||||