Total
30485 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-0028 | 1 Linagora | 1 Twake | 2024-08-02 | 5.7 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository linagora/twake prior to 2023.Q1.1200+. | ||||
| CVE-2023-0021 | 1 Sap | 1 Netweaver | 2024-08-02 | 6.1 Medium |
| Due to insufficient encoding of user input, SAP NetWeaver - versions 700, 701, 702, 731, 740, 750, allows an unauthenticated attacker to inject code that may expose sensitive data like user ID and password, which could lead to reflected Cross-Site scripting. These endpoints are normally exposed over the network and successful exploitation can partially impact confidentiality of the application. | ||||
| CVE-2023-0018 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2024-08-02 | 10 Critical |
| Due to improper input sanitization of user-controlled input in SAP BusinessObjects Business Intelligence Platform CMC application - versions 420, and 430, an attacker with basic user-level privileges can modify/upload crystal reports containing a malicious payload. Once these reports are viewable, anyone who opens those reports would be susceptible to stored XSS attacks. As a result of the attack, information maintained in the victim's web browser can be read, modified, and sent to the attacker. | ||||
| CVE-2023-0065 | 1 I2 Pros \& Cons Project | 1 I2 Pros \& Cons | 2024-08-02 | 5.4 Medium |
| The i2 Pros & Cons WordPress plugin through 1.3.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2023-0044 | 2 Quarkus, Redhat | 3 Quarkus, Build Of Quarkus, Quarkus | 2024-08-02 | 6.1 Medium |
| If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature. | ||||
| CVE-2023-0010 | 1 Paloaltonetworks | 1 Pan-os | 2024-08-02 | 5.4 Medium |
| A reflected cross-site scripting (XSS) vulnerability in the Captive Portal feature of Palo Alto Networks PAN-OS software can allow a JavaScript payload to be executed in the context of an authenticated Captive Portal user’s browser when they click on a specifically crafted link. | ||||
| CVE-2023-0025 | 1 Sap | 1 Solution Manager | 2024-08-02 | 6.5 Medium |
| SAP Solution Manager (BSP Application) - version 720, allows an authenticated attacker to craft a malicious link, which when clicked by an unsuspecting user, can be used to read or modify some sensitive information or craft a payload which may restrict access to the desired resources. | ||||
| CVE-2024-41943 | 2024-08-02 | 4.6 Medium | ||
| I, Librarian is an open-source version of a PDF managing SaaS. PDF notes are displayed on the Item Summary page without any form of validation or sanitation. An attacker can exploit this vulnerability by inserting a payload in the PDF notes that contains malicious code or script. This code will then be executed when the page is loaded in the browser. The vulnerability was fixed in version 5.11.1. | ||||
| CVE-2024-41805 | 2024-08-02 | 6.1 Medium | ||
| Tracks, a Getting Things Done (GTD) web application, is vulnerable to reflected cross-site scripting in versions prior to 2.7.1. Reflected cross-site scripting enables execution of malicious JavaScript in the context of a user’s browser if that user clicks on a malicious link, allowing phishing attacks that could lead to credential theft. Tracks version 2.7.1 is patched. No known complete workarounds are available. | ||||
| CVE-2024-41709 | 1 Backdropcms | 1 Backdrop | 2024-08-02 | 4.8 Medium |
| Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission. | ||||
| CVE-2024-41706 | 1 Archerirm | 1 Archer | 2024-08-02 | 7.3 High |
| A stored XSS issue was discovered in Archer Platform 6 before version 2024.06. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. 6.14 P4 (6.14.0.4) is also a fixed release. | ||||
| CVE-2024-41640 | 2024-08-02 | 6.1 Medium | ||
| Cross Site Scripting (XSS) vulnerability in AML Surety Eco up to 3.5 allows an attacker to run arbitrary code via crafted GET request using the id parameter. | ||||
| CVE-2024-41707 | 1 Archerirm | 1 Archer | 2024-08-02 | 4.8 Medium |
| An issue was discovered in Archer Platform 6 before 2024.06. Authenticated users can achieve HTML content injection. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML code in a trusted application data store. When victim users access the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application. | ||||
| CVE-2024-41663 | 2024-08-02 | 3.5 Low | ||
| Canarytokens help track activity and actions on a network. A Cross-Site Scripting vulnerability was identified in the "Cloned Website" Canarytoken, whereby the Canarytoken's creator can attack themselves. The creator of a slow-redirect Canarytoken can insert Javascript into the destination URL of their slow redirect token. When the creator later browses the management page for their own Canarytoken, the Javascript executes. This is a self-XSS. An attacker could create a Canarytoken with this self-XSS, and send the management link to a victim. When they click on it, the Javascript would execute. However, no sensitive information (ex. session information) will be disclosed to the malicious actor. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after `sha-097d91a`. | ||||
| CVE-2024-41355 | 1 Phpipam | 1 Phpipam | 2024-08-02 | 6.5 Medium |
| phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/tools/request-ip/index.php. | ||||
| CVE-2024-41374 | 1 Icecoder | 1 Icecoder | 2024-08-02 | 6.1 Medium |
| ICEcoder 8.1 is vulnerable to Cross Site Scripting (XSS) via lib/settings-screen.php | ||||
| CVE-2024-41665 | 2024-08-02 | 5.5 Medium | ||
| Ampache, a web based audio/video streaming application and file manager, has a stored cross-site scripting (XSS) vulnerability in versions prior to 6.6.0. This vulnerability exists in the "Playlists - Democratic - Configure Democratic Playlist" feature. An attacker with Content Manager permissions can set the Name field to `<svg onload=alert(8)>`. When any administrator or user accesses the Democratic functionality, they will be affected by this stored XSS vulnerability. The attacker can exploit this vulnerability to obtain the cookies of any user or administrator who accesses the `democratic.php` file. Version 6.6.0 contains a patch for the issue. | ||||
| CVE-2024-41375 | 1 Icecoder | 1 Icecoder | 2024-08-02 | 6.1 Medium |
| ICEcoder 8.1 is vulnerable to Cross Site Scripting (XSS) via lib/terminal-xhr.php | ||||
| CVE-2024-41354 | 1 Phpipam | 1 Phpipam | 2024-08-02 | 7.1 High |
| phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/widgets/edit.php | ||||
| CVE-2024-41357 | 1 Phpipam | 1 Phpipam | 2024-08-02 | 7.1 High |
| phpipam 1.6 is vulnerable to Cross Site Scripting (XSS) via /app/admin/powerDNS/record-edit.php. | ||||