Total
30740 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-25763 | 1 Jenkins | 1 Email Extension | 2024-08-02 | 5.4 Medium |
| Jenkins Email Extension Plugin 2.93 and earlier does not escape various fields included in bundled email templates, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control affected fields. | ||||
| CVE-2023-25786 | 1 Eyes Only User Access Shortcode Project | 1 Eyes Only User Access Shortcode | 2024-08-02 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Thom Stark Eyes Only: User Access Shortcode plugin <= 1.8.2 versions. | ||||
| CVE-2023-25795 | 1 Wp-master | 1 Feed Changer \& Remover | 2024-08-02 | 5.9 Medium |
| Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in WP-master.Ir Feed Changer & Remover plugin <= 0.2 versions. | ||||
| CVE-2023-25764 | 1 Jenkins | 1 Email Extension | 2024-08-02 | 5.4 Medium |
| Jenkins Email Extension Plugin 2.93 and earlier does not escape, sanitize, or sandbox rendered email template output or log output generated during template rendering, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to create or change custom email templates. | ||||
| CVE-2023-25713 | 1 Fullworksplugins | 1 Quick Paypal Payments | 2024-08-02 | 7.1 High |
| Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Fullworks Quick Paypal Payments plugin <= 5.7.25 versions. | ||||
| CVE-2023-25796 | 1 Wp Baidu Submit Project | 1 Wp Baidu Submit | 2024-08-02 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Include WP BaiDu Submit plugin <= 1.2.1 versions. | ||||
| CVE-2023-25710 | 1 Digitalblue | 1 Click To Call Or Chat Buttons | 2024-08-02 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DIGITALBLUE Click to Call or Chat Buttons plugin <= 1.4.0 versions. | ||||
| CVE-2023-25705 | 1 Goprayer | 1 Wp Prayer | 2024-08-02 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Go Prayer WP Prayer plugin <= 1.9.6 versions. | ||||
| CVE-2023-25704 | 1 Wpmart | 1 Interactive Svg Image Map Builder | 2024-08-02 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Mehjabin Orthi Interactive SVG Image Map Builder plugin <= 1.0 versions. | ||||
| CVE-2023-25712 | 1 Wp-buddy | 1 Google Analytics Opt-out | 2024-08-02 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP-Buddy Google Analytics Opt-Out plugin <= 2.3.4 versions. | ||||
| CVE-2023-25711 | 1 Wpglobus | 1 Wpglobus Translate Options | 2024-08-02 | 5.8 Medium |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPGlobus WPGlobus Translate Options plugin <= 2.1.0 versions. | ||||
| CVE-2023-25702 | 1 Fullworksplugins | 1 Quick Paypal Payments | 2024-08-02 | 5.9 Medium |
| Auth. (admin+) Stored Cross-site Scripting (XSS) vulnerability in Fullworks Quick Paypal Payments plugin <= 5.7.25 versions. | ||||
| CVE-2023-25598 | 1 Mitel | 1 Mivoice Connect | 2024-08-02 | 6.1 Medium |
| A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2 and 20.x, 21.x, and 22.x through 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the home.php page. A successful exploit could allow an attacker to execute arbitrary scripts. | ||||
| CVE-2023-25614 | 1 Sap | 1 Netweaver Application Server Abap | 2024-08-02 | 6.1 Medium |
| SAP NetWeaver AS ABAP (BSP Framework) application - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allow an unauthenticated attacker to inject the code that can be executed by the application over the network. On successful exploitation it can gain access to the sensitive information which leads to a limited impact on the confidentiality and the integrity of the application. | ||||
| CVE-2023-25571 | 1 Linuxfoundation | 3 Backstage Catalog-model, Backstage Core-components, Backstage Plugin-catalog-backend | 2024-08-02 | 6.8 Medium |
| Backstage is an open platform for building developer portals. `@backstage/catalog-model` prior to version 1.2.0, `@backstage/core-components` prior to 0.12.4, and `@backstage/plugin-catalog-backend` prior to 1.7.2 are affected by a cross-site scripting vulnerability. This vulnerability allows a malicious actor with access to add or modify content in an instance of the Backstage software catalog to inject script URLs in the entities stored in the catalog. If users of the catalog then click on said URLs, that can lead to an XSS attack. This vulnerability has been patched in both the frontend and backend implementations. The default `Link` component from `@backstage/core-components` version 1.2.0 and greater will now reject `javascript:` URLs, and there is a global override of `window.open` to do the same. In addition, the catalog model v0.12.4 and greater as well as the catalog backend v1.7.2 and greater now has additional validation built in that prevents `javascript:` URLs in known annotations. As a workaround, the general practice of limiting access to modifying catalog content and requiring code reviews greatly help mitigate this vulnerability. | ||||
| CVE-2023-25599 | 1 Mitel | 1 Mivoice Connect | 2024-08-02 | 7.4 High |
| A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2, 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the test_presenter.php page. A successful exploit could allow an attacker to execute arbitrary scripts. | ||||
| CVE-2023-25592 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2024-08-02 | 7.1 High |
| Vulnerabilities within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. | ||||
| CVE-2023-25593 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2024-08-02 | 7.1 High |
| Vulnerabilities within the web-based management interface of ClearPass Policy Manager could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. | ||||
| CVE-2023-25551 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2024-08-02 | 6.1 Medium |
| A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters over HTTP. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | ||||
| CVE-2023-25572 | 1 Marmelab | 2 Ra-ui-materialui, React-admin | 2024-08-02 | 5.4 Medium |
| react-admin is a frontend framework for building browser applications on top of REST/GraphQL APIs. react-admin prior to versions 3.19.12 and 4.7.6, along with ra-ui-materialui prior to 3.19.12 and 4.7.6, are vulnerable to cross-site scripting. All React applications built with react-admin and using the `<RichTextField>` are affected. `<RichTextField>` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn't sanitized server-side, this opens a possible cross-site scripting (XSS) attack. Versions 3.19.12 and 4.7.6 now use `DOMPurify` to escape the HTML before outputting it with React and `dangerouslySetInnerHTML`. Users who already sanitize HTML data server-side do not need to upgrade. As a workaround, users may replace the `<RichTextField>` by a custom field doing sanitization by hand. | ||||