Search Results (47147 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2022-45144 1 Algoo 1 Tracim 2025-01-22 6.1 Medium
Algoo Tracim before 4.4.2 allows XSS via HTML file upload.
CVE-2023-28517 2 Ibm, Linux 2 Sterling Partner Engagement Manager, Linux Kernel 2025-01-22 5.4 Medium
IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 250421.
CVE-2023-31703 1 Escanav 1 Escan Management Console 2025-01-22 9 Critical
Cross Site Scripting (XSS) in the edit user form in Microworld Technologies eScan management console 14.0.1400.2281 allows remote attacker to inject arbitrary code via the from parameter.
CVE-2023-31699 1 Churchcrm 1 Churchcrm 2025-01-22 4.8 Medium
ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file.
CVE-2023-2753 1 Phpmyfaq 1 Phpmyfaq 2025-01-22 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.
CVE-2023-2752 1 Phpmyfaq 1 Phpmyfaq 2025-01-22 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-beta.
CVE-2023-2509 1 Asustor 3 Adm, Looksgood, Soundsgood 2025-01-22 7.1 High
A Cross-Site Scripting(XSS) vulnerability was found on ADM, LooksGood and SoundsGood Apps. An attacker can exploit this vulnerability to inject malicious scripts into the target applications to access any cookies or sensitive information retained by the browser and used with that application. Affected products and versions include: ADM 4.0.6.REG2, 4.1.0 and below as well as ADM 4.2.1.RGE2 and below, LooksGood 2.0.0.R129 and below and SoundsGood 2.3.0.r1027 and below.
CVE-2024-27132 1 Lfprojects 1 Mlflow 2025-01-22 7.5 High
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables.
CVE-2024-27133 1 Lfprojects 1 Mlflow 2025-01-22 7.5 High
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.
CVE-2024-10761 1 Umbraco 1 Umbraco Cms 2025-01-22 4.3 Medium
A vulnerability was found in Umbraco CMS up to 10.7.7/12.3.6/13.5.2/14.3.1/15.1.1. It has been classified as problematic. Affected is an unknown function of the file /Umbraco/preview/frame?id{} of the component Dashboard. The manipulation of the argument culture leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.8.8, 13.5.3, 14.3.2 and 15.1.2 is able to address this issue. It is recommended to upgrade the affected component.
CVE-2023-31584 1 Silicon Project 1 Silicon 2025-01-21 6.1 Medium
GitHub repository cu/silicon commit a9ef36 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the User Input field.
CVE-2023-33236 1 Moxa 1 Mxsecurity 2025-01-21 9.8 Critical
MXsecurity version 1.0 is vulnearble to hardcoded credential vulnerability. This vulnerability has been reported that can be exploited to craft arbitrary JWT tokens and subsequently bypass authentication for web-based APIs.
CVE-2023-31862 1 Jizhicms 1 Jizhicms 2025-01-21 5.4 Medium
jizhicms v2.4.6 is vulnerable to Cross Site Scripting (XSS). The content of the article published in the front end is only filtered in the front end, without being filtered in the background, which allows attackers to publish an article containing malicious JavaScript scripts by modifying the request package.
CVE-2023-31757 1 Dedecms 1 Dedecms 2025-01-21 5.4 Medium
DedeCMS up to v5.7.108 is vulnerable to XSS in sys_info.php via parameters 'edit___cfg_powerby' and 'edit___cfg_beian'
CVE-2023-29720 1 Sofawiki Project 1 Sofawiki 2025-01-21 6.1 Medium
SofaWiki <=3.8.9 is vulnerable to Cross Site Scripting (XSS) via index.php.
CVE-2023-28529 3 Ibm, Linux, Microsoft 4 Aix, Infosphere Information Server, Linux Kernel and 1 more 2025-01-21 5.5 Medium
IBM InfoSphere Information Server 11.7 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 251213.
CVE-2024-25155 1 Fortra 1 Filecatalyst Direct 2025-01-21 7.2 High
In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag. 
CVE-2024-52585 1 Autolabproject 1 Autolab 2025-01-21 5.4 Medium
Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vulnerability in version 3.0.1 that can affect instructors and CAs on the grade submissions page. The issue is patched in version 3.0.2. One may apply the patch manually by editing line 589 on `gradesheet.js.erb` to take in feedback as text rather than html.
CVE-2024-54034 1 Adobe 1 Connect 2025-01-21 9.3 Critical
Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
CVE-2024-54037 1 Adobe 1 Connect 2025-01-21 8.1 High
Adobe Connect versions 12.6, 11.4.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by an attacker to execute arbitrary code in the context of the victim's browser session. By manipulating a DOM element through a crafted URL or user input, the high-privileged attacker can inject malicious scripts that run when the page is rendered. This type of attack requires user interaction, as the victim would need to visit a malicious link or input data into a compromised form. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.