Export limit exceeded: 346711 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 45592 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45592 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-21515 | 1 Opencart | 1 Opencart | 2025-01-14 | 4.2 Medium |
| This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login and redirected again upon authentication with the payload automatically executing. If the attacked user has admin privileges, this vulnerability could be used as the start of a chain of exploits like Zip Slip or arbitrary file write vulnerabilities in the admin functionality. **Notes:** 1) This is only exploitable if the attacker knows the name or path of the admin directory. The name of the directory is "admin" by default but there is a pop-up in the dashboard warning users to rename it. 2) The fix for this vulnerability is incomplete. The redirect is removed so that it is not possible for an attacker to control the redirect post admin login anymore, but it is still possible to exploit this issue in admin if the user is authenticated as an admin already. | ||||
| CVE-2024-13274 | 2025-01-14 | 5.3 Medium | ||
| Improper Control of Interaction Frequency vulnerability in Drupal Open Social allows Functionality Misuse.This issue affects Open Social: from 0.0.0 before 12.3.8, from 12.4.0 before 12.4.5. | ||||
| CVE-2023-23956 | 1 Broadcom | 1 Symantec Siteminder Webagent | 2025-01-14 | 6.1 Medium |
| A user can supply malicious HTML and JavaScript code that will be executed in the client browser | ||||
| CVE-2023-2421 | 1 Controlid | 1 Rhid | 2025-01-14 | 3.5 Low |
| A vulnerability classified as problematic has been found in Control iD RHiD 23.3.19.0. Affected is an unknown function of the file /v2/#/add/department. The manipulation of the argument Name leads to cross site scripting. It is possible to launch the attack remotely. VDB-227718 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-2948 | 1 Open-emr | 1 Openemr | 2025-01-14 | 6.1 Medium |
| Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2023-2949 | 1 Open-emr | 1 Openemr | 2025-01-14 | 6.1 Medium |
| Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2024-3463 | 1 Oretnom23 | 1 Laundry Shop Management System | 2025-01-14 | 3.5 Low |
| A vulnerability has been found in SourceCodester Laundry Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /karyawan/edit. The manipulation of the argument karyawan leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259744. | ||||
| CVE-2022-24631 | 1 Audiocodes | 1 Device Manager Express | 2025-01-14 | 5.4 Medium |
| An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. It is stored XSS via the ajaxTenants.php desc parameter. | ||||
| CVE-2023-24601 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 6.1 Medium |
| OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. | ||||
| CVE-2023-24602 | 1 Open-xchange | 1 Ox App Suite | 2025-01-14 | 6.1 Medium |
| OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. | ||||
| CVE-2023-46282 | 1 Siemens | 4 Opcenter Quality, Simatic Pcs Neo, Sinumerik Integrate Runmyhmi \/automotive and 1 more | 2025-01-14 | 7.1 High |
| A vulnerability has been identified in Opcenter Execution Foundation (All versions < V2407), Opcenter Quality (All versions < V2312), SIMATIC PCS neo (All versions < V4.1), SINEC NMS (All versions < V2.0 SP1), Totally Integrated Automation Portal (TIA Portal) V14 (All versions), Totally Integrated Automation Portal (TIA Portal) V15.1 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 8), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 3). A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the affected applications that could allow an attacker to inject arbitrary JavaScript code. The code could be potentially executed later by another (possibly privileged) user. | ||||
| CVE-2023-28347 | 2 Faronics, Microsoft | 2 Insight, Windows | 2025-01-13 | 9.6 Critical |
| An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for an attacker to create a proof-of-concept script that functions similarly to a Student Console, providing unauthenticated attackers with the ability to exploit XSS vulnerabilities within the Teacher Console application and achieve remote code execution as NT AUTHORITY/SYSTEM on all connected Student Consoles and the Teacher Console in a Zero Click manner. | ||||
| CVE-2023-28350 | 2 Faronics, Microsoft | 2 Insight, Windows | 2025-01-13 | 6.1 Medium |
| An issue was discovered in Faronics Insight 10.0.19045 on Windows. Attacker-supplied input is not validated/sanitized before being rendered in both the Teacher and Student Console applications, enabling an attacker to execute JavaScript in these applications. Due to the rich and highly privileged functionality offered by the Teacher Console, the ability to silently exploit Cross Site Scripting (XSS) on the Teacher Machine enables remote code execution on any connected student machine (and the teacher's machine). | ||||
| CVE-2022-36244 | 1 Shopbeat | 1 Shop Beat Media Player | 2025-01-13 | 5.4 Medium |
| Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 suffers from Multiple Stored Cross-Site Scripting (XSS) vulnerabilities via Shop Beat Control Panel found at www.shopbeat.co.za controlpanel.shopbeat.co.za. | ||||
| CVE-2023-2954 | 1 Djangoblog Project | 1 Djangoblog | 2025-01-13 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository liangliangyy/djangoblog prior to master. | ||||
| CVE-2023-32072 | 1 Enalean | 1 Tuleap | 2025-01-13 | 4.8 Medium |
| Tuleap is an open source tool for end to end traceability of application and system developments. Tuleap Community Edition prior to version 14.8.99.60 and Tuleap Enterprise edition prior to 14.8-3 and 14.7-7, the logs of the triggered Jenkins job URLs are not properly escaped. A malicious Git administrator can setup a malicious Jenkins hook to make a victim, also a Git administrator, execute uncontrolled code. Tuleap Community Edition 14.8.99.60, Tuleap Enterprise Edition 14.8-3, and Tuleap Enterprise Edition 14.7-7 contain a patch for this issue. | ||||
| CVE-2023-31184 | 1 Rozcom | 1 Rozcom Client | 2025-01-13 | 6.2 Medium |
| ROZCOM client CWE-798: Use of Hard-coded Credentials | ||||
| CVE-2023-29101 | 1 Muffingroup | 1 Betheme | 2025-01-13 | 7.1 High |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Muffingroup Betheme theme <= 26.7.5 versions. | ||||
| CVE-2022-40697 | 1 3commarketing | 1 3com-asesor-de-cookies | 2025-01-13 | 4.8 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in 3com – Asesor de Cookies para normativa española plugin <= 3.4.3 versions. | ||||
| CVE-2023-22721 | 1 Oi Yandex.maps Project | 1 Oi Yandex.maps | 2025-01-13 | 6.5 Medium |
| Auth. Stored Cross-Site Scripting (XSS) in Oi Yandex.Maps for WordPress <= 3.2.7 versions. | ||||