Total
30434 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-36450 | 1 Webmin | 1 Webmin | 2024-08-02 | 5.4 Medium |
| Cross-site scripting vulnerability exists in sysinfo.cgi of Webmin versions prior to 1.910. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. As a result, a session ID may be obtained, a webpage may be altered, or a server may be halted. | ||||
| CVE-2024-36417 | 1 Salesagility | 1 Suitecrm | 2024-08-02 | 5.7 Medium |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | ||||
| CVE-2024-36374 | 2024-08-02 | 4.6 Medium | ||
| In JetBrains TeamCity before 2024.03.2 stored XSS via build step settings was possible | ||||
| CVE-2024-36363 | 2024-08-02 | 4.6 Medium | ||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible | ||||
| CVE-2024-36366 | 2024-08-02 | 5.4 Medium | ||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations | ||||
| CVE-2024-36369 | 2024-08-02 | 4.6 Medium | ||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible | ||||
| CVE-2024-36372 | 2024-08-02 | 4.6 Medium | ||
| In JetBrains TeamCity before 2023.05.6 reflected XSS on the subscriptions page was possible | ||||
| CVE-2024-36373 | 2024-08-02 | 4.6 Medium | ||
| In JetBrains TeamCity before 2024.03.2 several stored XSS in untrusted builds settings were possible | ||||
| CVE-2024-36371 | 2024-08-02 | 4.6 Medium | ||
| In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible | ||||
| CVE-2024-36367 | 2024-08-02 | 4.6 Medium | ||
| In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via third-party reports was possible | ||||
| CVE-2024-36115 | 1 Dzikoysk | 1 Reposilite | 2024-08-02 | 7.1 High |
| Reposilite is an open source, lightweight and easy-to-use repository manager for Maven based artifacts in JVM ecosystem. As a Maven repository manager, Reposilite provides the ability to view the artifacts content in the browser, as well as perform administrative tasks via API. The problem lies in the fact that the artifact's content is served via the same origin (protocol/host/port) as the Admin UI. If the artifact contains HTML content with javascript inside, the javascript is executed within the same origin. Therefore, if an authenticated user is viewing the artifacts content, the javascript inside can access the browser's local storage where the user's password (aka 'token-secret') is stored. It is especially dangerous in scenarios where Reposilite is configured to mirror third party repositories, like the Maven Central Repository. Since anyone can publish an artifact to Maven Central under its own name, such malicious packages can be used to attack the Reposilite instance. This issue may lead to the full Reposilite instance compromise. If this attack is performed against the admin user, it's possible to use the admin API to modify settings and artifacts on the instance. In the worst case scenario, an attacker would be able to obtain the Remote code execution on all systems that use artifacts from Reposilite. It's important to note that the attacker does not need to lure a victim user to use a malicious artifact, but just open a link in the browser. This link can be silently loaded among the other HTML content, making this attack unnoticeable. Even if the Reposilite instance is located in an isolated environment, such as behind a VPN or in the local network, this attack is still possible as it can be performed from the admin browser. Reposilite has addressed this issue in version 3.5.12. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue was discovered and reported by the GitHub Security lab and is also tracked as GHSL-2024-072. | ||||
| CVE-2024-36109 | 2024-08-02 | 7.6 High | ||
| CoCalc is web-based software that enables collaboration in research, teaching, and scientific publishing. In affected versions the markdown parser allows `<script>` tags to be included which execute when published. This issue has been addressed in commit `419862a9c9879c`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-36123 | 1 Starcitizentools | 1 Mediawiki-skins-citizen | 2024-08-02 | 6.5 Medium |
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The page `MediaWiki:Tagline` has its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with the `editinterface` permission, or sysops). This vulnerability is fixed in 2.16.0. | ||||
| CVE-2024-36110 | 2024-08-02 | 8.2 High | ||
| ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions < 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. These issues have been addressed in version 0.0.21 (0.0.21.post2 on pypi). Users are advised to upgrade. There are no known workarounds for these issues. | ||||
| CVE-2024-36038 | 1 Zohocorp | 1 Manageengine Opmanager Plus | 2024-08-02 | 6.3 Medium |
| Zoho ManageEngine ITOM products versions from 128234 to 128248 are affected by the stored cross-site scripting vulnerability in the proxy server option. | ||||
| CVE-2024-35774 | 1 Darteweb | 1 Dimage 360 | 2024-08-02 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in D’arteweb DImage 360 allows Stored XSS.This issue affects DImage 360: from n/a through 2.0. | ||||
| CVE-2024-35782 | 1 Codeless | 1 Cowidgets - Elementor | 2024-08-02 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Codeless Cowidgets – Elementor Addons allows Stored XSS.This issue affects Cowidgets – Elementor Addons: from n/a through 1.1.1. | ||||
| CVE-2024-35779 | 1 Livecomposerplugin | 1 Live-composer-page-builder | 2024-08-02 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.42. | ||||
| CVE-2024-35738 | 1 Kognetics | 1 Kognetiks Chatbot | 2024-08-02 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kognetiks Kognetiks Chatbot for WordPress allows Stored XSS.This issue affects Kognetiks Chatbot for WordPress: from n/a through 1.9.8. | ||||
| CVE-2024-35769 | 1 Slideshow Se Project | 1 Slideshow Se | 2024-08-02 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in John West Slideshow SE allows Stored XSS.This issue affects Slideshow SE: from n/a through 2.5.17. | ||||