Total
30540 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24014 | 1 Fortinet | 1 Fortisandbox | 2024-10-25 | 5.4 Medium |
| Multiple instances of improper neutralization of input during web page generation vulnerabilities in FortiSandbox before 4.0.0 may allow an unauthenticated attacker to perform an XSS attack via specifically crafted request parameters. | ||||
| CVE-2021-32597 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-10-25 | 4.6 Medium |
| Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer versions 7.0.0, 6.4.5 and below, 6.2.7 and below user interface, may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious payload in GET parameters. | ||||
| CVE-2021-32602 | 1 Fortinet | 1 Fortiportal | 2024-10-25 | 5.8 Medium |
| An improper neutralization of input during web page generation vulnerability (CWE-79) in FortiPortal GUI 6.0.4 and below, 5.3.6 and below, 5.2.6 and below, 5.1.2 and below, 5.0.3 and below, 4.2.2 and below, 4.1.2 and below, 4.0.4 and below may allow a remote and unauthenticated attacker to perform an XSS attack via sending a crafted request with an invalid lang parameter or with an invalid org.springframework.web.servlet.i18n.CookieLocaleResolver.LOCALE value. | ||||
| CVE-2021-36175 | 1 Fortinet | 1 Fortiweb | 2024-10-25 | 4.1 Medium |
| An improper neutralization of input vulnerability [CWE-79] in FortiWebManager versions 6.2.3 and below, 6.0.2 and below may allow a remote authenticated attacker to inject malicious script/tags via the name/description/comments parameter of various sections of the device. | ||||
| CVE-2021-24021 | 1 Fortinet | 1 Fortianalyzer | 2024-10-25 | 4.3 Medium |
| An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer versions 6.4.3 and below, 6.2.7 and below and 6.0.10 and below may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the column settings of Logview in FortiAnalyzer, should the attacker be able to obtain that POST request, via other, hypothetical attacks. | ||||
| CVE-2020-15940 | 1 Fortinet | 1 Forticlient Enterprise Management Server | 2024-10-25 | 4.1 Medium |
| An improper neutralization of input vulnerability [CWE-79] in FortiClientEMS versions 6.4.1 and below and 6.2.9 and below may allow a remote authenticated attacker to inject malicious script/tags via the name parameter of various sections of the server. | ||||
| CVE-2020-12814 | 1 Fortinet | 1 Fortianalyzer | 2024-10-25 | 4.1 Medium |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI. | ||||
| CVE-2021-36176 | 1 Fortinet | 1 Fortiportal | 2024-10-25 | 6.1 Medium |
| Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests. | ||||
| CVE-2021-41029 | 1 Fortinet | 1 Fortiwlm | 2024-10-25 | 6.4 Medium |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWLM version 8.6.1 and below allows attacker to store malicious javascript code in the device and trigger it via crafted HTTP requests | ||||
| CVE-2021-42752 | 1 Fortinet | 1 Fortiwlm | 2024-10-25 | 5.4 Medium |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWLM version 8.6.1 and below allows attacker to execute malicious javascript code on victim's host via crafted HTTP requests | ||||
| CVE-2021-41015 | 1 Fortinet | 1 Fortiweb | 2024-10-25 | 6.1 Medium |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests to SAML login handler | ||||
| CVE-2021-43063 | 1 Fortinet | 1 Fortiweb | 2024-10-25 | 6.1 Medium |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the login webpage. | ||||
| CVE-2021-32585 | 1 Fortinet | 1 Fortiwan | 2024-10-25 | 7.2 High |
| An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiWAN before 4.5.9 may allow an attacker to perform a stored cross-site scripting attack via specifically crafted HTTP requests. | ||||
| CVE-2022-35851 | 1 Fortinet | 1 Fortiadc | 2024-10-25 | 8 High |
| An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiADC management interface 7.1.0 may allow a remote and authenticated attacker to trigger a stored cross site scripting (XSS) attack via configuring a specially crafted IP Address. | ||||
| CVE-2022-38373 | 1 Fortinet | 1 Fortideceptor | 2024-10-25 | 8 High |
| An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiDeceptor management interface 4.2.0, 4.1.0 through 4.1.1, 4.0.2 may allow an authenticated user to perform a cross site scripting (XSS) attack via sending requests with specially crafted lure resource ID. | ||||
| CVE-2022-38374 | 1 Fortinet | 1 Fortiadc | 2024-10-25 | 8.8 High |
| A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiADC 7.0.0 - 7.0.2 and 6.2.0 - 6.2.4 allows an attacker to execute unauthorized code or commands via the URL and User fields observed in the traffic and event logviews. | ||||
| CVE-2022-39950 | 1 Fortinet | 2 Fortianalyzer, Fortimanager | 2024-10-25 | 8 High |
| An improper neutralization of input during web page generation vulnerability [CWE-79] exists in FortiManager and FortiAnalyzer 6.0.0 all versions, 6.2.0 all versions, 6.4.0 through 6.4.8, and 7.0.0 through 7.0.4. Report templates may allow a low privilege level attacker to perform an XSS attack via posting a crafted CKeditor "protected" comment as described in CVE-2020-9281. | ||||
| CVE-2024-49751 | 2024-10-25 | N/A | ||
| Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Prior to commit 5d118a902872d7941f099ad1fb918e2421e79ccd, a user could inject HTML through SaaS signup inputs. The user who injected the unsafe HTML code would only affect themselves and would not affect other users. Commit 5d118a902872d7941f099ad1fb918e2421e79ccd patches this bug. | ||||
| CVE-2024-10332 | 2024-10-25 | 6.1 Medium | ||
| A Cross-Site Scripting vulnerability has been found in Janto v4.3r11 from Impronta. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the endpoint “/abonados/public/janto/main.php”. | ||||
| CVE-2024-10176 | 1 Tipsandtricks-hq | 1 Compact Wp Audio Player | 2024-10-25 | 6.4 Medium |
| The Compact WP Audio Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_embed_player shortcode in all versions up to, and including, 1.9.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||