Export limit exceeded: 45567 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45567 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-9436 | 1 Vivwebsolutions | 1 Dynamic Widgets | 2024-11-27 | 5.4 Medium |
| The dynamic-widgets plugin before 1.5.11 for WordPress has XSS via the wp-admin/admin-ajax.php?action=term_tree prefix or widget_id parameter. | ||||
| CVE-2023-35155 | 1 Xwiki | 1 Xwiki | 2024-11-27 | 8.8 High |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL execute an `alter` on the browser: `<xwiki-host>/xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Crenniepak%40intigriti.me%3E&includeDocument=inline&message=I+wanted+to+share+this+page+with+you.`, where `<xwiki-host>` is the URL of your XWiki installation. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8. | ||||
| CVE-2023-35156 | 1 Xwiki | 1 Xwiki | 2024-11-27 | 9.7 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1. The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability. | ||||
| CVE-2023-35157 | 1 Xwiki | 1 Xwiki | 2024-11-27 | 8.5 High |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the missing CSRF token. The vulnerability has been patched in XWiki 15.1-rc-1 and XWiki 14.10.6. | ||||
| CVE-2023-35159 | 1 Xwiki | 1 Xwiki | 2024-11-27 | 9.7 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: > xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 3.4-milestone-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. | ||||
| CVE-2023-35160 | 1 Xwiki | 1 Xwiki | 2024-11-27 | 9.7 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the resubmit template to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/XWiki/Main xpage=resubmit&resubmit=javascript:alert(document.domain)&xback=javascript:alert(document.domain). This vulnerability exists since XWiki 2.5-milestone-2. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. | ||||
| CVE-2023-43870 | 1 Paxton-access | 1 Net2 | 2024-11-27 | 8.1 High |
| When installing the Net2 software a root certificate is installed into the trusted store. A potential hacker could access the installer batch file or reverse engineer the source code to gain access to the root certificate password. Using the root certificate and password they could then create their own certificates to emulate another site. Then by establishing a proxy service to emulate the site they could monitor traffic passed between the end user and the site allowing access to the data content. | ||||
| CVE-2023-35161 | 1 Xwiki | 1 Xwiki | 2024-11-27 | 9.7 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.2-milestone-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. | ||||
| CVE-2023-1783 | 1 Orangescrum | 1 Orangescrum | 2024-11-27 | 6.5 Medium |
| OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF. | ||||
| CVE-2023-1724 | 1 Ladybirdweb | 1 Faveo Helpdesk | 2024-11-27 | 7.3 High |
| Faveo Helpdesk Enterprise version 6.0.1 allows an attacker with agent permissions to perform privilege escalation on the application. This occurs because the application is vulnerable to stored XSS. | ||||
| CVE-2023-36291 | 1 Maxsite | 1 Maxsite Cms | 2024-11-27 | 6.1 Medium |
| Cross Site Scripting vulnerability in Maxsite CMS v.108.7 allows a remote attacker to execute arbitrary code via the f_content parameter in the admin/page_new file. | ||||
| CVE-2023-6013 | 1 H2o | 1 H2o | 2024-11-27 | 5.4 Medium |
| H2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack. | ||||
| CVE-2023-37254 | 1 Mediawiki | 1 Mediawiki | 2024-11-27 | 6.1 Medium |
| An issue was discovered in the Cargo extension for MediaWiki through 1.39.3. XSS can occur in Special:CargoQuery via a crafted page item when using the default format. | ||||
| CVE-2024-27313 | 1 Zohocorp | 1 Manageengine Pam360 | 2024-11-27 | 6.3 Medium |
| Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. This vulnerability is applicable only in the version 6610. | ||||
| CVE-2023-3311 | 1 Online-shopping-system-advanced Project | 1 Online-shopping-system-advanced | 2024-11-27 | 2.4 Low |
| A vulnerability, which was classified as problematic, was found in PuneethReddyHC online-shopping-system-advanced 1.0. This affects an unknown part of the file addsuppliers.php. The manipulation of the argument First name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-231807. | ||||
| CVE-2023-44389 | 1 Zope | 1 Zope | 2024-11-27 | 3.1 Low |
| Zope is an open-source web application server. The title property, available on most Zope objects, can be used to store script code that is executed while viewing the affected object in the Zope Management Interface (ZMI). All versions of Zope 4 and Zope 5 are affected. Patches will be released with Zope versions 4.8.11 and 5.8.6. | ||||
| CVE-2023-33336 | 1 Sophos | 1 Web Appliance | 2024-11-27 | 4.8 Medium |
| Reflected cross site scripting (XSS) vulnerability was discovered in Sophos Web Appliance v4.3.9.1 that allows for arbitrary code to be inputted via the double quotes. | ||||
| CVE-2023-34840 | 1 Angular-ui-notification Project | 1 Angular-ui-notification | 2024-11-27 | 6.1 Medium |
| angular-ui-notification v0.1.0, v0.2.0, and v0.3.6 was discovered to contain a cross-site scripting (XSS) vulnerability. | ||||
| CVE-2023-34734 | 1 Secnet | 1 Annet Ac Centralized Management Platform | 2024-11-27 | 4.8 Medium |
| Annet AC Centralized Management Platform 1.02.040 is vulnerable to Stored Cross-Site Scripting (XSS) . | ||||
| CVE-2023-50924 | 1 Engelsystem | 1 Engelsystem | 2024-11-27 | 7.3 High |
| Englesystem is a shift planning system for chaos events. Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user's context. This vulnerability enables an authenticated user to inject Javascript into other user's sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages. This issue has been fixed in version 3.4.1. | ||||