| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud (login_reset_request.mhtml modules), Forcepoint Web Security Portal on Hybrid (login_reset_request.mhtml modules) allows Reflected XSS.This issue affects Cloud Security Gateway (CSG): before 03/29/2023; Web Security: before 03/29/2023.
|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Cloud Security Gateway (CSG) Portal on Web Cloud Security Gateway, Email Security Cloud (login_submit.mhtml modules), Forcepoint Web Security Portal on Hybrid (login_submit.mhtml modules) allows Reflected XSS.This issue affects Cloud Security Gateway (CSG): before 03/29/2023; Web Security: before 03/29/2023.
|
| Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers. This configuration change is provided in version 12.1 and users are advised to upgrade. Users unable to upgrade may set their Content-Security-Policy HTTP header manually. |
|
A CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site
Scripting') vulnerability exists on a DCE file upload endpoint when tampering with parameters
over HTTP.
Affected products: StruxureWare Data Center Expert (V7.9.2 and prior)
|
| your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
| HCL Launch is vulnerable to HTML injection. HTML code is stored and included without being sanitized. This can lead to further attacks such as XSS and Open Redirections.
|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Johan van der Wijk Content Blocks (Custom Post Widget) allows Stored XSS.This issue affects Content Blocks (Custom Post Widget): from n/a through 3.3.0.
|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MailMunch MailMunch – Grow your Email List allows Stored XSS.This issue affects MailMunch – Grow your Email List: from n/a through 3.1.6.
|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MailMunch MailChimp Forms by MailMunch allows Stored XSS.This issue affects MailChimp Forms by MailMunch: from n/a through 3.2.2.
|
| A vulnerability, which was classified as problematic, was found in GARO WALLBOX GLB+ T2EV7 0.5. This affects an unknown part of the file /index.jsp#settings of the component Software Update Handler. The manipulation of the argument Reference leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254397 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. |
| The Simple Giveaways WordPress plugin before 2.45.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) |
| The All-In-One Security (AIOS) WordPress plugin before 5.1.5 does not escape the content of log files before outputting it to the plugin admin page, allowing an authorized user (admin+) to plant bogus log files containing malicious JavaScript code that will be executed in the context of any administrator visiting this page. |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Travel Engine allows Stored XSS.This issue affects WP Travel Engine: from n/a through 5.9.1. |
| A vulnerability classified as problematic has been found in SourceCodester Simple Task Allocation System 1.0. Affected is an unknown function of the file LoginRegistration.php?a=register_user. The manipulation of the argument Fullname leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-224244. |
| A medium severity vulnerability has been identified within Privileged Identity which can allow an attacker to perform reflected cross-site scripting attacks. |
| The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0. |
| AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office.
This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0.
|
| Improper Neutralization of Input During Web Page Generation in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
| Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. |
