Export limit exceeded: 346711 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45592 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2817 | 1 Craftcms | 1 Craft Cms | 2025-01-15 | 5.4 Medium |
| A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively. | ||||
| CVE-2023-21516 | 1 Samsung | 1 Galaxy Store | 2025-01-15 | 7.5 High |
| XSS vulnerability from InstantPlay in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store. | ||||
| CVE-2023-37411 | 1 Ibm | 1 Aspera Faspex | 2025-01-14 | 4.8 Medium |
| IBM Aspera Faspex 5.0.0 through 5.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 260139. | ||||
| CVE-2023-33780 | 1 Invernyx | 1 Smartcars 3 | 2025-01-14 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in TFDi Design smartCARS 3 v0.7.0 and below allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the body of news article. | ||||
| CVE-2023-38723 | 1 Ibm | 1 Maximo Application Suite | 2025-01-14 | 6.4 Medium |
| IBM Maximo Application Suite 7.6.1.3 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 262192. | ||||
| CVE-2023-45181 | 1 Ibm | 1 Jazz Foundation | 2025-01-14 | 6.1 Medium |
| IBM Jazz Foundation 7.0.2 and below are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2023-33197 | 1 Craftcms | 1 Craft Cms | 2025-01-14 | 5.5 Medium |
| Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6. | ||||
| CVE-2021-43929 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 6.5 Medium |
| Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in work flow management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | ||||
| CVE-2018-8917 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | N/A |
| Cross-site scripting (XSS) vulnerability in info.cgi in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary web script or HTML via the host parameter. | ||||
| CVE-2017-16774 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | N/A |
| Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotification.Event in Synology DiskStation Manager (DSM) before 6.1.4-15217-3 allows remote authenticated users to inject arbitrary web script or HTML via the package parameter. | ||||
| CVE-2018-13293 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | N/A |
| Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings in Synology DiskStation Manager (DSM) before 6.2.1-23824 allows remote authenticated users to inject arbitrary web script or HTML via the URL parameter. | ||||
| CVE-2023-33196 | 1 Craftcms | 1 Craft Cms | 2025-01-14 | 5.5 Medium |
| Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7. | ||||
| CVE-2023-33194 | 2 Craftcms, Craftercms | 2 Craft Cms, Craftercms | 2025-01-14 | 3.7 Low |
| Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was patched in version 4.4.6. | ||||
| CVE-2023-2009 | 1 Pretty Url Project | 1 Pretty Url | 2025-01-14 | 4.8 Medium |
| Plugin does not sanitize and escape the URL field in the Pretty Url WordPress plugin through 1.5.4 settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-2947 | 1 Open-emr | 1 Openemr | 2025-01-14 | 4.8 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2023-32325 | 1 Posthog | 1 Posthog-js | 2025-01-14 | 5.4 Medium |
| PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place. | ||||
| CVE-2023-33195 | 1 Craftcms | 1 Craft Cms | 2025-01-14 | 5 Medium |
| Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6. | ||||
| CVE-2023-32686 | 1 Kiwitcms | 1 Kiwi Tcms | 2025-01-14 | 8.1 High |
| Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded. The upload validation checks were not robust enough which left the possibility of an attacker to circumvent them and upload a potentially dangerous file. Exploiting this flaw, a combination of files could be uploaded so that they work together to circumvent the existing Content-Security-Policy and allow execution of arbitrary JavaScript in the browser. This issue has been patched in version 12.3. | ||||
| CVE-2024-21517 | 1 Opencart | 1 Opencart | 2025-01-14 | 4.2 Medium |
| This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account functionality it could be used to target and attack customers of the OpenCart shop. **Notes:** 1) The fix for this vulnerability is incomplete | ||||
| CVE-2024-21516 | 1 Opencart | 1 Opencart | 2025-01-14 | 4.2 Medium |
| This affects versions of the package opencart/opencart from 4.0.0.0 and before 4.1.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login and redirected again upon authentication with the payload automatically executing. If the attacked user has admin privileges, this vulnerability could be used as the start of a chain of exploits like Zip Slip or arbitrary file write vulnerabilities in the admin functionality. **Notes:** 1) This is only exploitable if the attacker knows the name or path of the admin directory. The name of the directory is "admin" by default but there is a pop-up in the dashboard warning users to rename it. 2) The fix for this vulnerability is incomplete. The redirect is removed so that it is not possible for an attacker to control the redirect post admin login anymore, but it is still possible to exploit this issue in admin if the user is authenticated as an admin already. | ||||