Total
30498 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2159 | 1 Wpsocialrocket | 1 Social Sharing Plugin | 2024-10-30 | 4.7 Medium |
| The Social Sharing Plugin WordPress plugin before 3.3.61 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-48119 | 1 Vtiger | 1 Vtiger Crm | 2024-10-30 | 5.4 Medium |
| Vtiger CRM v8.2.0 has a HTML Injection vulnerability in the module parameter. Authenticated users can inject arbitrary HTML. | ||||
| CVE-2023-3620 | 1 Tarteaucitron | 1 Tarteaucitron | 2024-10-30 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository amauric/tarteaucitron.js prior to v1.13.1. | ||||
| CVE-2024-10348 | 2 Mayurik, Sourcecodester | 2 Best House Rental Management System, Best House Rental Management System | 2024-10-30 | 3.5 Low |
| A vulnerability was found in SourceCodester Best House Rental Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?page=tenants of the component Manage Tenant Details. The manipulation of the argument Last Name/First Name/Middle Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only shows the field "Last Name" to be affected. Other fields might be affected as well. | ||||
| CVE-2024-48448 | 1 Huly | 1 Huly | 2024-10-29 | 6.1 Medium |
| An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into the tracker comments page. | ||||
| CVE-2024-41519 | 1 Mecodia | 1 Feripro | 2024-10-29 | 5.4 Medium |
| Feripro <= v2.2.3 is vulnerable to Cross Site Scripting (XSS) via "/admin/programm/<program_id>/zuordnung/veranstaltungen/<event_id>" through the "school" input field. | ||||
| CVE-2024-33665 | 2024-10-29 | 6.1 Medium | ||
| angular-translate through 2.19.1 allows XSS via a crafted key that is used by the translate directive. NOTE: the vendor indicates that there is no documentation indicating that a key is supposed to be safe against XSS attacks. | ||||
| CVE-2024-25551 | 2024-10-29 | 6.1 Medium | ||
| Cross Site Scripting (XSS) vulnerability in sourcecodester Simple Student Attendance System v1.0 allows attackers to execute arbitrary code via crafted GET request to web application URL. | ||||
| CVE-2022-23397 | 1 Cedargate | 1 Ez-net Portal | 2024-10-29 | 6.1 Medium |
| The Cedar Gate EZ-NET portal 6.5.5 6.8.0 Internet portal has a call to display messages to users which does not properly sanitize data sent in through a URL parameter. This leads to a Reflected Cross-Site Scripting vulnerability. NOTE: the vendor disputes this because the ado.im reference has "no clear steps of reproduction." | ||||
| CVE-2024-48120 | 1 X2engine | 1 X2crm | 2024-10-29 | 6.5 Medium |
| X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list. | ||||
| CVE-2024-10414 | 1 Phpgurukul | 1 Vehicle Record System | 2024-10-29 | 2.4 Low |
| A vulnerability, which was classified as problematic, was found in PHPGurukul Vehicle Record System 1.0. This affects an unknown part of the file /admin/edit-brand.php. The manipulation of the argument Brand Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions the parameter "phone_number" to be affected. But this might be a mistake because the textbox field label is "Brand Name". | ||||
| CVE-2024-10412 | 1 Poco-z | 1 Guns-medial | 2024-10-29 | 3.5 Low |
| A vulnerability was found in Poco-z Guns-Medical 1.0. It has been declared as problematic. Affected by this vulnerability is the function upload of the file /mgr/upload of the component File Upload. The manipulation of the argument picture leads to cross site scripting. The attack can be launched remotely. | ||||
| CVE-2024-25662 | 2024-10-29 | 6.1 Medium | ||
| Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 and older are vulnerable to Cross-Site Scripting (XSS) for malicious URLs. | ||||
| CVE-2023-37439 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-10-29 | 6.1 Medium |
| Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host. | ||||
| CVE-2023-23702 | 1 Pixelgrade | 1 Comments Rating | 2024-10-29 | 4.8 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Pixelgrade Comments Ratings plugin <= 1.1.7 versions. | ||||
| CVE-2024-34230 | 1 Sourcecodester | 1 Laboratory Management System | 2024-10-29 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the System Information parameter. | ||||
| CVE-2024-1988 | 1 Pickplugins | 1 Post Grid | 2024-10-29 | 6.4 Medium |
| The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel – Combo Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' attribute in blocks in all versions up to, and including, 2.2.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-5425 | 1 Lightpress | 1 Lightbox | 2024-10-29 | 6.4 Medium |
| The WP jQuery Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ attribute in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-1768 | 1 Nayrathemes | 1 Clever Fox | 2024-10-29 | 6.4 Medium |
| The Clever Fox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's info box block in all versions up to, and including, 25.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-51509 | 1 Tiki | 1 Tiki | 2024-10-29 | 4.8 Medium |
| Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name. | ||||