Export limit exceeded: 45554 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45554 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-40729 | 1 Netbox | 1 Netbox | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/interfaces/add/. | ||||
| CVE-2024-40728 | 1 Netbox | 1 Netbox | 2024-11-21 | 7.1 High |
| A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-server-ports/{id}/edit/. | ||||
| CVE-2024-40727 | 1 Netbox | 1 Netbox | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/console-server-ports/add/. | ||||
| CVE-2024-40726 | 1 Netbox | 1 Netbox | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-ports/{id}/edit/. | ||||
| CVE-2024-40690 | 1 Ibm | 1 Infosphere Information Server | 2024-11-21 | 5.4 Medium |
| IBM InfoSphere Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 297720. | ||||
| CVE-2024-40600 | 1 Mediawiki | 2 Mediawiki, Metrolook Skin | 2024-11-21 | 6.1 Medium |
| An issue was discovered in the Metrolook skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu entries. | ||||
| CVE-2024-3999 | 1 Spider-themes | 1 Eazydocs | 2024-11-21 | 4.8 Medium |
| The EazyDocs WordPress plugin before 2.5.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-3978 | 1 Andrewabarber | 1 Wordpress Jitsi Shortcode | 2024-11-21 | 5.4 Medium |
| The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-3977 | 1 Andrewabarber | 1 Wordpress Jitsi Shortcode | 2024-11-21 | 4.8 Medium |
| The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-3966 | 1 Projectcaruso | 1 Pray For Me | 2024-11-21 | 6.1 Medium |
| The Pray For Me WordPress plugin through 1.0.4 does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP Admin | ||||
| CVE-2024-3938 | 1 Dotcms | 1 Dotcms | 2024-11-21 | 5.4 Medium |
| The "reset password" login page accepted an HTML injection via URL parameters. This has already been rectified via patch, and as such it cannot be demonstrated via Demo site link. Those interested to see the vulnerability may spin up a http://localhost:8082/dotAdmin/#/public/login?resetEmailSent=true&resetEmail=%3Ch1%3E%3Ca%20href%3D%22https:%2F%2Fgoogle.com%22%3ECLICK%20ME%3C%2Fa%3E%3C%2Fh1%3E This will result in a view along these lines: * OWASP Top 10 - A03: Injection * CVSS Score: 5.4 * AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator * https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N&... https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator | ||||
| CVE-2024-3850 | 1 Uniview | 2 Nvr301-04s2-p4, Nvr301-04s2-p4 Firmware | 2024-11-21 | 5.4 Medium |
| Uniview NVR301-04S2-P4 is vulnerable to reflected cross-site scripting attack (XSS). An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser. This vulnerability also requires authentication before it can be exploited, so the scope and severity is limited. Also, even if JavaScript is executed, no additional benefits are obtained. | ||||
| CVE-2024-3801 | 1 Conceptintermedia | 1 S\@m Cms | 2024-11-21 | 6.1 Medium |
| Sites managed in S@M CMS (Concept Intermedia) might be vulnerable to Reflected XSS via including scripts in one of GET header parameters. Only a part of observed services is vulnerable, but since vendor has not investigated the root problem, it is hard to determine when the issue appears. | ||||
| CVE-2024-3408 | 2 Man, Man-group | 2 D-tale, Dtale | 2024-11-21 | 9.8 Critical |
| man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server. | ||||
| CVE-2024-3402 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2024-11-21 | 5.4 Medium |
| A stored Cross-Site Scripting (XSS) vulnerability existed in version (20240121) of gaizhenbiao/chuanhuchatgpt due to inadequate sanitization and validation of model output data. Despite user-input validation efforts, the application fails to properly sanitize or validate the output from the model, allowing for the injection and execution of malicious JavaScript code within the context of a user's browser. This vulnerability can lead to the execution of arbitrary JavaScript code in the context of other users' browsers, potentially resulting in the hijacking of victims' browsers. | ||||
| CVE-2024-3378 | 1 Iboss | 1 Secure Web Gateway | 2024-11-21 | 4.3 Medium |
| A vulnerability has been found in iboss Secure Web Gateway up to 10.1 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /login of the component Login Portal. The manipulation of the argument redirectUrl leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 10.2.0.160 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-259501 was assigned to this vulnerability. | ||||
| CVE-2024-3288 | 1 Logichunt | 1 Logo Slider | 2024-11-21 | 5.4 Medium |
| The Logo Slider WordPress plugin before 4.0.0 does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2024-3276 | 1 Fooplugins | 1 Foobox | 2024-11-21 | 4.8 Medium |
| The Lightbox & Modal Popup WordPress Plugin WordPress plugin before 2.7.28, foobox-image-lightbox-premium WordPress plugin before 2.7.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-3166 | 1 Mintplexlabs | 2 Anythingllm Desktop, Anythingllm Webapp | 2024-11-21 | 9.6 Critical |
| A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, which can be exploited to execute arbitrary JavaScript code. In the desktop application, this flaw can be escalated to Remote Code Execution (RCE) due to insecure application settings, specifically the enabling of 'nodeIntegration' and the disabling of 'contextIsolation' in Electron's webPreferences. The issue has been addressed in version 1.4.2 of the desktop application. | ||||
| CVE-2024-3111 | 1 H5p | 1 H5p | 2024-11-21 | 5.4 Medium |
| The Interactive Content WordPress plugin before 1.15.8 does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues | ||||