Export limit exceeded: 45462 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45462 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-46998 | 1 Bootboxjs | 1 Bootbox | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload to alert(), confirm(), prompt() functions. | ||||
| CVE-2023-46974 | 1 Mayurik | 1 Courier Management System | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting vulnerability in Best Courier Management System v.1.000 allows a remote attacker to execute arbitrary code via a crafted payload to the page parameter in the URL. | ||||
| CVE-2023-46964 | 2 Hillstone, Hillstonenet | 3 Next Generation Firewall Sg-6000-e3960, Sc-6000-e3960, Sc-6000-e3960 Firmware | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in Hillstone Next Generation FireWall SG-6000-e3960 v.5.5 allows a remote attacker to execute arbitrary code via the use front-end filtering instead of back-end filtering. | ||||
| CVE-2023-46943 | 1 Evershop | 1 Evershop | 2024-11-21 | 9.1 Critical |
| An issue was discovered in NPM's package @evershop/evershop before version 1.0.0-rc.8. The HMAC secret used for generating tokens is hardcoded as "secret". A weak HMAC secret poses a risk because attackers can use the predictable secret to create valid JSON Web Tokens (JWTs), allowing them access to important information and actions within the application. | ||||
| CVE-2023-46935 | 1 Eyoucms | 1 Eyoucms | 2024-11-21 | 5.4 Medium |
| eyoucms v1.6.4 is vulnerable Cross Site Scripting (XSS), which can lead to stealing sensitive information of logged-in users. | ||||
| CVE-2023-46925 | 1 Reportico | 1 Reportico | 2024-11-21 | 4.8 Medium |
| Reportico 7.1.21 is vulnerable to Cross Site Scripting (XSS). | ||||
| CVE-2023-46918 | 1 Fedirtsapana | 1 Simple Http Server Plus | 2024-11-21 | 4.6 Medium |
| Phlox com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus has an Android manifest file that contains an entry with the android:allowBackup attribute set to true. This could be leveraged by an attacker with physical access to the device. | ||||
| CVE-2023-46911 | 1 Jspxcms | 1 Jspxcms | 2024-11-21 | 6.1 Medium |
| There is a Cross Site Scripting (XSS) vulnerability in the choose_style_tree.do interface of Jspxcms v10.2.0 backend. | ||||
| CVE-2023-46858 | 1 Moodle | 1 Moodle | 2024-11-21 | 5.4 Medium |
| Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but students can not." | ||||
| CVE-2023-46857 | 1 Squidex.io | 1 Squidex | 2024-11-21 | 5.4 Medium |
| Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for exploitation. | ||||
| CVE-2023-46854 | 1 Proxmox | 1 Proxmox-widget-toolkit | 2024-11-21 | 5.4 Medium |
| Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxmox products, allows XSS via the edit notes feature. | ||||
| CVE-2023-46824 | 1 Omaksolutions | 1 Slick Popup | 2024-11-21 | 4.8 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Om Ak Solutions Slick Popup: Contact Form 7 Popup Plugin plugin <= 1.7.14 versions. | ||||
| CVE-2023-46822 | 1 Visser | 1 Store Exporter For Woocommerce | 2024-11-21 | 6.1 Medium |
| Unauth. Reflected Cross-Site Scripting') vulnerability in Visser Labs Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More plugin <= 2.7.2 versions. | ||||
| CVE-2023-46783 | 1 Brightplugins | 1 Pre-orders For Woocommerce | 2024-11-21 | 5.4 Medium |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Bright Plugins Pre-Orders for WooCommerce plugin <= 1.2.13 versions. | ||||
| CVE-2023-46782 | 1 Chrisyee | 1 Momentopress For Momento360 | 2024-11-21 | 5.4 Medium |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Chris Yee MomentoPress for Momento360 plugin <= 1.0.1 versions. | ||||
| CVE-2023-46744 | 1 Squidex.io | 1 Squidex | 2024-11-21 | 5.4 Medium |
| Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Scripting (XSS) vulnerability enables privilege escalation of authenticated users. The SVG element filtering mechanism intended to stop XSS attacks through uploaded SVG images, is insufficient resulting to stored XSS attacks. Squidex allows the CMS contributors to be granted the permission of uploading an SVG asset. When the asset is uploaded, a filtering mechanism is performed to validate that the SVG does not contain malicious code. The validation logic consists of traversing the HTML nodes in the DOM. In order for the validation to succeed, 2 conditions must be met: 1. No HTML tags included in a "blacklist" called "InvalidSvgElements" are present. This list only contains the element "script". and 2. No attributes of HTML tags begin with "on" (i.e. onerror, onclick) (line 65). If either of the 2 conditions is not satisfied, validation fails and the file/asset is not uploaded. However it is possible to bypass the above filtering mechanism and execute arbitrary JavaScript code by introducing other HTML elements such as an <iframe> element with a "src" attribute containing a "javascript:" value. Authenticated adversaries with the "assets.create" permission, can leverage this vulnerability to upload a malicious SVG as an asset, targeting any registered user that will attempt to open/view the asset through the Squidex CMS. | ||||
| CVE-2023-46735 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 6.1 Medium |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now doesn't return any user-submitted input in its response. | ||||
| CVE-2023-46732 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 9.7 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to reflected cross-site scripting (RXSS) via the `rev` parameter that is used in the content of the content menu without escaping. If an attacker can convince a user to visit a link with a crafted parameter, this allows the attacker to execute arbitrary actions in the name of the user, including remote code (Groovy) execution in the case of a user with programming right, compromising the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.6 RC1, 15.5.1 and 14.10.14. The patch in commit `04e325d57` can be manually applied without upgrading (or restarting) the instance. Users are advised to upgrade or to manually apply the patch. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-46722 | 1 Pimcore | 1 Admin Classic Bundle | 2024-11-21 | 6.1 Medium |
| The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 1.2.0 to receive a patch or, as a workaround, apply the patch manually. | ||||
| CVE-2023-46711 | 1 Buffalo | 2 Vr-s1000, Vr-s1000 Firmware | 2024-11-21 | 4.6 Medium |
| VR-S1000 firmware Ver. 2.37 and earlier uses a hard-coded cryptographic key which may allow an attacker to analyze the password of a specific product user. | ||||