Total
45041 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-49289 | 1 Michaelschwarz | 1 Ajax.net Professional | 2024-11-21 | 6.3 Medium |
| Ajax.NET Professional (AjaxPro) is an AJAX framework for Microsoft ASP.NET which will create proxy JavaScript classes that are used on client-side to invoke methods on the web server. Affected versions of this package are vulnerable cross site scripting attacks. Releases before version 21.12.22.1 are affected. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-49279 | 1 Umbraco | 1 Umbraco Cms | 2024-11-21 | 3.7 Low |
| Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted. | ||||
| CVE-2023-49277 | 1 Darrennathanael | 1 Dpaste | 2024-11-21 | 8.3 High |
| dpaste is an open source pastebin application written in Python using the Django framework. A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities. Users are strongly advised to upgrade to dpaste release v3.8 or later versions, as dpaste versions older than v3.8 are susceptible to the identified security vulnerability. No known workarounds have been identified, and applying the patch is the most effective way to remediate the vulnerability. | ||||
| CVE-2023-49276 | 1 Uptime.kuma | 1 Uptime Kuma | 2024-11-21 | 6.3 Medium |
| Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in vulnerable to Attribute Injection leading to Cross-Site-Scripting (XSS). Since the custom status interface can set an independent Google Analytics ID and the template has not been sanitized, there is an attribute injection vulnerability here, which can lead to XSS attacks. This vulnerability has been addressed in commit `f28dccf4e` which is included in release version 1.23.7. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-49216 | 1 Usedesk | 1 Usedesk | 2024-11-21 | 5.4 Medium |
| Usedesk before 1.7.57 allows profile stored XSS. | ||||
| CVE-2023-49188 | 1 Zealousweb | 1 Track Geolocation Of Users Using Contact Form 7 | 2024-11-21 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZealousWeb Track Geolocation Of Users Using Contact Form 7 allows Stored XSS.This issue affects Track Geolocation Of Users Using Contact Form 7: from n/a through 2.0. | ||||
| CVE-2023-49146 | 1 Getgrav | 1 Dom-sanitizer | 2024-11-21 | 6.1 Medium |
| DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG document because of mishandling of comments and greedy regular expressions. | ||||
| CVE-2023-49117 | 1 Alfasado | 1 Powercms | 2024-11-21 | 5.4 Medium |
| PowerCMS (6 Series, 5 Series, and 4 Series) contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on a logged-in user's web browser. Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability. | ||||
| CVE-2023-49090 | 1 Carrierwave Project | 1 Carrierwave | 2024-11-21 | 6.8 Medium |
| CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5. | ||||
| CVE-2023-49078 | 1 Zediious | 1 Raptor-web | 2024-11-21 | 5.4 Medium |
| raptor-web is a CMS for game server communities that can be used to host information and keep track of players. In version 0.4.4 of raptor-web, it is possible to craft a malicious URL that will result in a reflected cross-site scripting vulnerability. A user controlled URL parameter is loaded into an internal template that has autoescape disabled. This is a cross-site scripting vulnerability that affects all deployments of `raptor-web` on version `0.4.4`. Any victim who clicks on a malicious crafted link will be affected. This issue has been patched 0.4.4.1. | ||||
| CVE-2023-49077 | 1 Mailcow | 1 Mailcow\ | 2024-11-21 | 8.3 High |
| Mailcow: dockerized is an open source groupware/email suite based on docker. A Cross-Site Scripting (XSS) vulnerability has been identified within the Quarantine UI of the system. This vulnerability poses a significant threat to administrators who utilize the Quarantine feature. An attacker can send a carefully crafted email containing malicious JavaScript code. This issue has been patched in version 2023-11. | ||||
| CVE-2023-49029 | 1 Smpn1smg | 1 Absis | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the nama parameter in the lock/lock.php file. | ||||
| CVE-2023-49028 | 1 Absis | 1 Absis | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and before allows a remote attacker to execute arbitrary code via the user parameter in the lock/lock.php file. | ||||
| CVE-2023-48940 | 1 Daicuo | 1 Daicuo | 2024-11-21 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in /admin.php of DaiCuo v2.5.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2023-48882 | 1 Eyoucms | 1 Eyoucms | 2024-11-21 | 4.8 Medium |
| A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Document Properties field at /login.php m=admin&c=Index&a=changeTableVal&_ajax=1&lang=cn. | ||||
| CVE-2023-48881 | 1 Eyoucms | 1 Eyoucms | 2024-11-21 | 4.8 Medium |
| A stored cross-site scripting (XSS) vulnerability in EyouCMS v1.6.4-UTF8-SP1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Field Title field at /login.php?m=admin&c=Field&a=arctype_add&_ajax=1&lang=cn. | ||||
| CVE-2023-48839 | 1 Phpjabbers | 1 Appointment Scheduler | 2024-11-21 | 5.4 Medium |
| Appointment Scheduler 3.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter. | ||||
| CVE-2023-48838 | 1 Phpjabbers | 1 Appointment Scheduler | 2024-11-21 | 5.4 Medium |
| Appointment Scheduler 3.0 is vulnerable to Multiple HTML Injection issues via the SMS API Key or Default Country Code. | ||||
| CVE-2023-48837 | 1 Phpjabbers | 1 Car Rental Script | 2024-11-21 | 5.4 Medium |
| Car Rental Script 3.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code. | ||||
| CVE-2023-48828 | 1 Phpjabbers | 1 Time Slots Booking Calendar | 2024-11-21 | 5.4 Medium |
| Time Slots Booking Calendar 4.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter. | ||||