Search Results (47135 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-2442 1 Gitlab 1 Gitlab 2025-01-07 8.7 High
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.
CVE-2023-2015 1 Gitlab 1 Gitlab 2025-01-07 4.4 Medium
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A reflected XSS was possible when creating new abuse reports which allows attackers to perform arbitrary actions on behalf of victims.
CVE-2024-52000 1 Combodo 1 Itop 2025-01-07 6.1 Medium
Combodo iTop is a simple, web based IT Service Management tool. Affected versions are subject to a reflected Cross-site Scripting (XSS) exploit by way of editing a request's payload which can lead to malicious javascript execution. This issue has been addressed in version 3.2.0 via systematic escaping of error messages when rendering on the page. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-45073 5 Hp, Ibm, Linux and 2 more 7 Hp-ux, Aix, Websphere Application Server and 4 more 2025-01-07 4.8 Medium
IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2023-34961 1 Chamilo 1 Chamilo Lms 2025-01-06 6.1 Medium
Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the /feedback/comment field.
CVE-2023-32751 1 Pydio 1 Cells 2025-01-06 5.4 Medium
Pydio Cells through 4.1.2 allows XSS. Pydio Cells implements the download of files using presigned URLs which are generated using the Amazon AWS SDK for JavaScript [1]. The secrets used to sign these URLs are hardcoded and exposed through the JavaScript files of the web application. Therefore, it is possible to generate valid signatures for arbitrary download URLs. By uploading an HTML file and modifying the download URL to serve the file inline instead of as an attachment, any included JavaScript code is executed when the URL is opened in a browser, leading to a cross-site scripting vulnerability.
CVE-2023-3142 1 Microweber 1 Microweber 2025-01-06 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.
CVE-2023-33846 3 Hp, Ibm, Linux 5 Hp-ux, Aix, Cics Tx and 2 more 2025-01-06 5.4 Medium
IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, CICS TX Advanced 10.1, and 11.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 257100.
CVE-2023-23481 2 Ibm, Linux 2 Sterling Partner Engagement Manager, Linux Kernel 2025-01-06 6.4 Medium
IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 245889.
CVE-2023-23480 2 Ibm, Linux 2 Sterling Partner Engagement Manager, Linux Kernel 2025-01-06 5.4 Medium
IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 245885.
CVE-2023-26465 1 Pega 1 Pega Platform 2025-01-06 6.1 Medium
Pega Platform versions 7.2 to 8.8.1 are affected by an XSS issue.
CVE-2023-34856 1 Dlink 2 Di-7500g-ci, Di-7500g-ci Firmware 2025-01-06 5.4 Medium
A Cross Site Scripting (XSS) vulnerability in D-Link DI-7500G-CI-19.05.29A allows attackers to execute arbitrary code via uploading a crafted HTML file to the interface /auth_pic.cgi.
CVE-2024-13031 1 Antabot 1 White-jotter 2025-01-06 2.4 Low
A vulnerability classified as problematic has been found in Antabot White-Jotter up to 0.2.2. Affected is an unknown function of the file /admin/content/editor of the component Article Content Editor. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-13033 1 Code-projects 1 Chat System 2025-01-06 3.5 Low
A vulnerability, which was classified as problematic, has been found in code-projects Chat System 1.0. Affected by this issue is some unknown functionality of the file /admin/chatroom.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-33515 1 Softexpert 1 Excellence Suite 2025-01-06 5.4 Medium
SoftExpert Excellence Suite 2.1.9 is vulnerable to Cross Site Scripting (XSS) via query screens.
CVE-2023-29714 1 Vadesecure 1 Secure Gateway 2025-01-06 6.1 Medium
Cross Site Scripting vulnerability found in Vade Secure Gateway allows a remote attacker to execute arbitrary code via the username, password, and language cookies parameter.
CVE-2023-29713 1 Vadesecure 1 Secure Gateway 2025-01-06 6.1 Medium
Cross Site Scripting vulnerability found in Vade Secure Gateway allows a remote attacker to execute arbitrary code via a crafted payload to the GET request after the /css/ directory.
CVE-2023-29712 1 Vadesecure 1 Secure Gateway 2025-01-06 6.1 Medium
Cross Site Scripting vulnerability found in Vade Secure Gateway allows a remote attacker to execute arbitrary code via a crafted payload to the X-Rewrite-URL parameter.
CVE-2023-2121 2 Hashicorp, Redhat 2 Vault, Openshift Data Foundation 2025-01-06 4.3 Medium
Vault and Vault Enterprise's (Vault) key-value v2 (kv-v2) diff viewer allowed HTML injection into the Vault web UI through key values. This vulnerability, CVE-2023-2121, is fixed in Vault 1.14.0, 1.13.3, 1.12.7, and 1.11.11.
CVE-2023-34245 1 Udecode 1 Plate 2025-01-06 8.1 High
@udecode/plate-link is the link handler for the udecode/plate rich-text editor plugin system for Slate & React. Affected versions of the link plugin and link UI component do not sanitize URLs to prevent use of the `javascript:` scheme. As a result, links with JavaScript URLs can be inserted into the Plate editor through various means, including opening or pasting malicious content. `@udecode/plate-link` 20.0.0 resolves this issue by introducing an `allowedSchemes` option to the link plugin, defaulting to `['http', 'https', 'mailto', 'tel']`. URLs using a scheme that isn't in this list will not be rendered to the DOM. Users are advised to upgrade. Users unable to upgrade are advised to override the `LinkElement` and `PlateFloatingLink` components with implementations that explicitly check the URL scheme before rendering any anchor elements.