Total
30732 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-24891 | 1 Microsoft | 1 Dynamics 365 | 2024-08-02 | 5.4 Medium |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | ||||
| CVE-2023-24879 | 1 Microsoft | 1 Dynamics 365 | 2024-08-02 | 5.4 Medium |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | ||||
| CVE-2023-24896 | 1 Microsoft | 1 Dynamics 365 | 2024-08-02 | 5.4 Medium |
| Dynamics 365 Finance Spoofing Vulnerability | ||||
| CVE-2023-24814 | 1 Typo3 | 1 Typo3 | 2024-08-02 | 8.8 High |
| TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT_NAME')` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation. | ||||
| CVE-2023-24810 | 1 Misskey | 1 Misskey | 2024-08-02 | 7.1 High |
| Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during `miauth` authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 (including 12.x) are affected. This has been fixed in version 13.3.1. Users are advised to upgrade. Users unable to upgrade should not allow authentication of untrusted apps. | ||||
| CVE-2023-24839 | 1 Hgiga | 1 Oaklouds Mailsherlock | 2024-08-02 | 6.1 Medium |
| HGiga MailSherlock’s specific function has insufficient filtering for user input. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript, conducting a reflected XSS attack. | ||||
| CVE-2023-24769 | 1 Changedetection | 1 Changedetection | 2024-08-02 | 5.4 Medium |
| Changedetection.io before v0.40.1.1 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the main page. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the URL parameter under the "Add a new change detection watch" function. | ||||
| CVE-2023-24811 | 1 Misskey | 1 Misskey | 2024-08-02 | 7.1 High |
| Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the `View in Player` or `View in Window` preview. This has been fixed in version 13.3.2. Users are advised to upgrade. Users unable to upgrade should avoid usage of the `View in Player` or `View in Window` functions. | ||||
| CVE-2023-24744 | 1 Rediker | 1 Adminplus | 2024-08-02 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in Rediker Software AdminPlus 6.1.91.00 allows remote attackers to run arbitrary code via the onload function within the application DOM. | ||||
| CVE-2023-24721 | 1 Liveaction | 1 Livesp | 2024-08-02 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability in LiveAction LiveSP v21.1.2 allows attackers to execute arbitrary web scripts or HTML. | ||||
| CVE-2023-24601 | 1 Open-xchange | 1 Ox App Suite | 2024-08-02 | 6.1 Medium |
| OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. | ||||
| CVE-2023-24747 | 1 Jflyfox | 1 Jfinal Cms | 2024-08-02 | 5.4 Medium |
| Jfinal CMS v5.1 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/dict/list. | ||||
| CVE-2023-24724 | 1 Sas | 1 Web Administration Interface | 2024-08-02 | 5.4 Medium |
| A stored cross site scripting (XSS) vulnerability was discovered in the user management module of the SAS 9.4 Admin Console, due to insufficient validation and sanitization of data input into the user creation and editing form fields. The product name is SAS Web Administration interface (SASAdmin). For the product release, the reported version is 9.4_M2 and the fixed version is 9.4_M3. For the SAS release, the reported version is 9.4 TS1M2 and the fixed version is 9.4 TS1M3. | ||||
| CVE-2023-24651 | 1 Simple Customer Relationship Management System Project | 1 Simple Customer Relationship Management System | 2024-08-02 | 5.4 Medium |
| Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter on the registration page. | ||||
| CVE-2023-24657 | 1 Phpipam | 1 Phpipam | 2024-08-02 | 6.1 Medium |
| phpipam v1.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the closeClass parameter at /subnet-masks/popup.php. | ||||
| CVE-2023-24690 | 1 Churchcrm | 1 Churchcrm | 2024-08-02 | 5.4 Medium |
| ChurchCRM 4.5.3 and below was discovered to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/family. | ||||
| CVE-2023-24686 | 1 Churchcrm | 1 Churchcrm | 2024-08-02 | 4.8 Medium |
| An issue in the CSV Import function of ChurchCRM v4.5.3 and below allows attackers to execute arbitrary code via importing a crafted CSV file. | ||||
| CVE-2023-24733 | 1 Sigb | 1 Pmb | 2024-08-02 | 6.1 Medium |
| PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950_new.php. | ||||
| CVE-2023-24737 | 1 Sigb | 1 Pmb | 2024-08-02 | 6.1 Medium |
| PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950.php. | ||||
| CVE-2023-24602 | 1 Open-xchange | 1 Ox App Suite | 2024-08-02 | 6.1 Medium |
| OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. | ||||