Total
30498 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-27087 | 2024-08-02 | 4.6 Medium | ||
| Kirby is a content management system. The new link field introduced in Kirby 4 allows several different link types that each validate the entered link to the relevant URL format. It also includes a "Custom" link type for advanced use cases that don't fit any of the pre-defined link formats. As the "Custom" link type is meant to be flexible, it also allows the javascript: URL scheme. In some use cases this can be intended, but it can also be misused by attackers to execute arbitrary JavaScript code when a user or visitor clicks on a link that is generated from the contents of the link field. This vulnerability is patched in 4.1.1. | ||||
| CVE-2024-24885 | 1 Levantoan | 1 Woocommerce Vietnam Checkout | 2024-08-02 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lê Văn Toản Woocommerce Vietnam Checkout allows Stored XSS.This issue affects Woocommerce Vietnam Checkout: from n/a through 2.0.7. | ||||
| CVE-2024-26269 | 2024-08-02 | 9.6 Critical | ||
| Cross-site scripting (XSS) vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via the anchor (hash) part of a URL. | ||||
| CVE-2024-26266 | 2024-08-02 | 9 Critical | ||
| Multiple stored cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.2.0 through 7.4.3.13, and older unsupported versions, and Liferay DXP 7.4 before update 10, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions allow remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into the first/middle/last name text field of the user who creates an entry in the (1) Announcement widget, or (2) Alerts widget. | ||||
| CVE-2024-26140 | 2024-08-01 | 4.6 Medium | ||
| com.yetanalytics/lrs is the Yet Analytics Core LRS Library. Prior to version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS, a maliciously crafted xAPI statement could be used to perform script or other tag injection in the LRS Statement Browser. The problem is patched in version 1.2.17 of the LRS library and version 0.7.5 of SQL LRS. No known workarounds exist. | ||||
| CVE-2024-26143 | 2024-08-01 | 6.1 Medium | ||
| Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1. | ||||
| CVE-2024-26128 | 2024-08-01 | 5.4 Medium | ||
| baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability. | ||||
| CVE-2024-25708 | 2024-08-01 | 4.8 Medium | ||
| There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder versions 10.8.1 – 10.9.1 that may allow a remote, authenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. | ||||
| CVE-2024-25934 | 2024-08-01 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FormFacade allows Stored XSS.This issue affects FormFacade: from n/a through 1.0.0. | ||||
| CVE-2024-25976 | 2024-08-01 | N/A | ||
| When LDAP authentication is activated in the configuration it is possible to obtain reflected XSS execution by creating a custom URL that the victim only needs to open in order to execute arbitrary JavaScript code in the victim's browser. This is due to a fault in the file login.php where the content of "$_SERVER['PHP_SELF']" is reflected into the HTML of the website. Hence the attacker does not need a valid account in order to exploit this issue. | ||||
| CVE-2024-25921 | 2024-08-01 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Concerted Action Action Network allows Reflected XSS.This issue affects Action Network: from n/a through 1.4.2. | ||||
| CVE-2024-25936 | 2024-08-01 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SoundCloud Inc., Lawrie Malen SoundCloud Shortcode allows Stored XSS.This issue affects SoundCloud Shortcode: from n/a through 4.0.1. | ||||
| CVE-2024-25919 | 2024-08-01 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiroaki Miyashita Custom Field Template allows Stored XSS.This issue affects Custom Field Template: from n/a through 2.6. | ||||
| CVE-2024-25916 | 2024-08-01 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joseph C Dolson My Calendar allows Stored XSS.This issue affects My Calendar: from n/a through 3.4.23. | ||||
| CVE-2024-25807 | 2024-08-01 | 6.1 Medium | ||
| Cross Site Scripting (XSS) vulnerability in Lychee 3.1.6, allows remote attackers to execute arbitrary code and obtain sensitive information via the title parameter when creating an album. | ||||
| CVE-2024-25637 | 2024-08-01 | 3.1 Low | ||
| October is a self-hosted CMS platform based on the Laravel PHP Framework. The X-October-Request-Handler Header does not sanitize the AJAX handler name and allows unescaped HTML to be reflected back. There is no impact since this vulnerability cannot be exploited through normal browser interactions. This unescaped value is only detectable when using a proxy interception tool. This issue has been patched in version 3.5.15. | ||||
| CVE-2024-25598 | 2024-08-01 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through 8.3. | ||||
| CVE-2024-25599 | 2024-08-01 | 7.1 High | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Castos Seriously Simple Podcasting allows Reflected XSS.This issue affects Seriously Simple Podcasting: from n/a through 3.0.2. | ||||
| CVE-2024-25602 | 2024-08-01 | 9 Critical | ||
| Stored cross-site scripting (XSS) vulnerability in Users Admin module's edit user page in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via a crafted payload injected into an organization’s “Name” text field | ||||
| CVE-2024-25594 | 2024-08-01 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Savvy Wordpress Development MyWaze allows Stored XSS.This issue affects MyWaze: from n/a through 1.6. | ||||