Export limit exceeded: 346188 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45556 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5711 | 1 Stitionai | 1 Devika | 2024-11-21 | 6.1 Medium |
| A stored Cross-Site Scripting (XSS) vulnerability exists in the stitionai/devika chat feature, allowing attackers to inject malicious payloads into the chat input. This vulnerability is due to the lack of input validation and sanitization on both the frontend and backend components of the application. Specifically, the application fails to sanitize user input in the chat feature, leading to the execution of arbitrary JavaScript code in the context of the user's browser session. This issue affects all versions of the application. The impact of this vulnerability includes the potential for stolen credentials, extraction of sensitive information from chat logs, projects, and other data accessible through the application. | ||||
| CVE-2024-5673 | 1 Dulldusk | 1 Phpfilemanager | 2024-11-21 | 6.1 Medium |
| Vulnerability in Dulldusk's PHP File Manager affecting version 1.7.8. This vulnerability consists of an XSS through the fm_current_dir parameter of index.php. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session. | ||||
| CVE-2024-5626 | 1 Data443 | 1 Inline Related Posts | 2024-11-21 | 6.1 Medium |
| The Inline Related Posts WordPress plugin before 3.7.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2024-5478 | 1 Lunary | 1 Lunary | 2024-11-21 | 6.1 Medium |
| A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before incorporating it into the generated response. Specifically, the endpoint generates XML responses for SAML metadata, where the `orgId` parameter is directly embedded into the XML structure without proper sanitization or validation. This flaw allows an attacker to inject arbitrary JavaScript code into the generated SAML metadata page, leading to potential theft of user cookies or authentication tokens. | ||||
| CVE-2024-5471 | 1 Zohocorp | 1 Manageengine Ddi Central | 2024-11-21 | 8.8 High |
| Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys. | ||||
| CVE-2024-5448 | 1 Mohsinrasool | 1 Paypal Pay Now\, Buy Now\, Donation And Cart Buttons Shortcode | 2024-11-21 | 5.4 Medium |
| The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-5447 | 1 Mohsinrasool | 1 Paypal Pay Now\, Buy Now\, Donation And Cart Buttons Shortcode | 2024-11-21 | 4.8 Medium |
| The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-5199 | 1 Wolfiezero | 1 Spotify Play Button | 2024-11-21 | 6.1 Medium |
| The Spotify Play Button WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-5172 | 1 Expert Invoice Project | 1 Expert Invoice | 2024-11-21 | 4.8 Medium |
| The Expert Invoice WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-5169 | 1 Nikodev | 1 Video Widget | 2024-11-21 | 4.8 Medium |
| The Video Widget WordPress plugin through 1.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-5062 | 1 Zenml | 1 Zenml | 2024-11-21 | 6.1 Medium |
| A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a specified URL after completing a survey, without proper validation of the 'redirect' parameter. Consequently, an attacker can execute arbitrary JavaScript code in the context of the user's browser session. This vulnerability could be exploited to steal cookies, potentially leading to account takeover. | ||||
| CVE-2024-5058 | 1 Wpdeveloper | 1 Typing Text | 2024-11-21 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper Typing Text allows Stored XSS.This issue affects Typing Text: from n/a through 1.2.5. | ||||
| CVE-2024-5004 | 1 Cminds | 1 Cm Popup | 2024-11-21 | 4.8 Medium |
| The CM Popup Plugin for WordPress WordPress plugin before 1.6.6 does not sanitise and escape some of the campaign settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-51486 | 1 Ampache | 1 Ampache | 2024-11-21 | 5.5 Medium |
| Ampache is a web based audio/video streaming application and file manager. The vulnerability exists in the interface section of the Ampache menu, where users can change the "Custom URL - Favicon". This section is not properly sanitized, allowing for the input of strings that can execute JavaScript. This issue has been addressed in version 7.0.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-51032 | 2 Oretnom23, Toll Tax Management System Project | 2 Toll Tax Management System, Toll Tax Management System | 2024-11-21 | 5.4 Medium |
| A Cross-site Scripting (XSS) vulnerability in manage_recipient.php of Sourcecodester Toll Tax Management System 1.0 allows remote authenticated users to inject arbitrary web scripts via the "owner" input field. | ||||
| CVE-2024-51031 | 2 Cab Management System Project, Oretnom23 | 2 Cab Management System, Cab Management System | 2024-11-21 | 5.4 Medium |
| A Cross-site Scripting (XSS) vulnerability in manage_account.php in Sourcecodester Cab Management System 1.0 allows remote authenticated users to inject arbitrary web scripts via the "First Name," "Middle Name," and "Last Name" fields. | ||||
| CVE-2024-50969 | 2 Anisha, Code-projects | 2 Jonnys Liquor, Jonnys Liquor | 2024-11-21 | 6.1 Medium |
| A Reflected cross-site scripting (XSS) vulnerability in browse.php of Code-projects Jonnys Liquor 1.0 allows remote attackers to inject arbitrary web scripts or HTML via the search parameter. | ||||
| CVE-2024-50655 | 1 Emlog | 1 Emlog | 2024-11-21 | 6.1 Medium |
| emlog pro <=2.3.18 is vulnerable to Cross Site Scripting (XSS), which allows attackers to write malicious JavaScript code in published articles. | ||||
| CVE-2024-4901 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 8.7 High |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes. | ||||
| CVE-2024-4755 | 1 Erikeng | 1 Google Cse | 2024-11-21 | 4.8 Medium |
| The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||