Export limit exceeded: 45554 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45554 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-3110 | 1 Mintplexlabs | 1 Anythingllm | 2024-11-21 | 8.7 High |
| A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them into the application UI as external links with custom icons. Specifically, the application does not prevent the inclusion of 'javascript:' protocol payloads in URLs, which can be exploited by a user with manager role to execute arbitrary JavaScript code in the context of another user's session. This flaw can be leveraged to steal the admin's authorization token by crafting malicious URLs that, when clicked by the admin, send the token to an attacker-controlled server. The attacker can then use this token to perform unauthorized actions, escalate privileges to admin, or directly take over the admin account. The vulnerability is triggered when the malicious link is opened in a new tab using either the CTRL + left mouse button click or the mouse scroll wheel click, or in some non-updated versions of modern browsers, by directly clicking on the link. | ||||
| CVE-2024-39863 | 1 Apache | 1 Airflow | 2024-11-21 | 5.4 Medium |
| Apache Airflow versions before 2.9.3 have a vulnerability that allows an authenticated attacker to inject a malicious link when installing a provider. Users are recommended to upgrade to version 2.9.3, which fixes this issue. | ||||
| CVE-2024-39735 | 1 Ibm | 2 Datacap, Datacap Navigator | 2024-11-21 | 5.4 Medium |
| IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 296002. | ||||
| CVE-2024-39728 | 1 Ibm | 2 Datacap, Datacap Navigator | 2024-11-21 | 6.4 Medium |
| IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 295967. | ||||
| CVE-2024-39374 | 1 Markoni | 4 Markoni-d \(compact\), Markoni-d \(compact\) Firmware, Markoni-dh \(exciter\+amplifiers\) and 1 more | 2024-11-21 | 9.8 Critical |
| TELSAT marKoni FM Transmitters are vulnerable to an attacker exploiting a hidden admin account that can be accessed through the use of hard-coded credentials. | ||||
| CVE-2024-39308 | 1 Rails Admin Project | 1 Rails Admin | 2024-11-21 | 5.4 Medium |
| RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released). | ||||
| CVE-2024-39143 | 1 Coderberg | 1 Residencecms | 2024-11-21 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in ResidenceCMS 2.10.1 that allows a low-privilege user to create malicious property content with HTML inside which acts as a stored XSS payload. | ||||
| CVE-2024-39124 | 1 Roundup-tracker | 1 Roundup | 2024-11-21 | 6.1 Medium |
| In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS. | ||||
| CVE-2024-38972 | 1 Netbox | 1 Netbox | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-ports/add/. | ||||
| CVE-2024-38786 | 1 Burgersoftwares | 1 Cozipress | 2024-11-21 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BurgerThemes CoziPress allows Stored XSS.This issue affects CoziPress: from n/a through 1.0.30. | ||||
| CVE-2024-38785 | 1 Jegstudio | 1 Gutenverse | 2024-11-21 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jegstudio Gutenverse allows Stored XSS.This issue affects Gutenverse: from n/a through 1.9.2. | ||||
| CVE-2024-38784 | 1 Livemesh | 1 Beaver Builder Addons | 2024-11-21 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Beaver Builder allows Stored XSS.This issue affects Livemesh Addons for Beaver Builder: from n/a through 3.6.1. | ||||
| CVE-2024-38782 | 1 Mapsmarker | 1 Leaflet Maps Marker | 2024-11-21 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in MapsMarker.Com e.U. Leaflet Maps Marker allows Stored XSS.This issue affects Leaflet Maps Marker: from n/a through 3.12.9. | ||||
| CVE-2024-38781 | 1 Artistscope | 1 Copysafe Web Protection | 2024-11-21 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ArtistScope CopySafe Web Protection allows Reflected XSS.This issue affects CopySafe Web Protection: from n/a through 3.15. | ||||
| CVE-2024-38521 | 1 Hushline | 1 Hush Line | 2024-11-21 | 8.8 High |
| Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. There is a stored XSS in the Inbox. The input is displayed using the `safe` Jinja2 attribute, and thus not sanitized upon display. This issue has been patched in version 0.1.0. | ||||
| CVE-2024-38507 | 1 Jetbrains | 1 Hub | 2024-11-21 | 3.5 Low |
| In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible | ||||
| CVE-2024-38493 | 1 Broadcom | 1 Symantec Privileged Access Management | 2024-11-21 | 6.1 Medium |
| A reflected cross-site scripting (XSS) vulnerability exists in the PAM UI web interface. A remote attacker able to convince a PAM user to click on a specially crafted link to the PAM UI web interface could potentially execute arbitrary client-side code in the context of PAM UI. | ||||
| CVE-2024-38436 | 1 Commugen | 1 Sox 365 | 2024-11-21 | 6.1 Medium |
| Commugen SOX 365 – CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||||
| CVE-2024-38430 | 1 Matrix-globalservices | 1 Tafnit | 2024-11-21 | 5.4 Medium |
| Matrix - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||||
| CVE-2024-38354 | 1 Hackmd | 1 Codimd | 2024-11-21 | 8.1 High |
| CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe `HTML` tags with an improperly sanitized `name` attribute. This vulnerability enables attackers to perform cross-site scripting (XSS) attacks via DOM clobbering. This vulnerability is fixed in 2.5.4. | ||||