Export limit exceeded: 345161 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 45455 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45455 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-46020 | 1 Code-projects | 1 Blood Bank | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) in updateprofile.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'rename', 'remail', 'rphone' and 'rcity' parameters. | ||||
| CVE-2023-46019 | 1 Code-projects | 1 Blood Bank | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in abs.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'error' parameter. | ||||
| CVE-2023-46016 | 1 Code-projects | 1 Blood Bank | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) in abs.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via the 'search' parameter in the application URL. | ||||
| CVE-2023-46015 | 1 Code-projects | 1 Blood Bank | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in index.php in Code-Projects Blood Bank 1.0 allows attackers to run arbitrary code via 'msg' parameter in application URL. | ||||
| CVE-2023-46003 | 1 I-doit | 1 I-doit | 2024-11-21 | 5.4 Medium |
| I-doit pro 25 and below is vulnerable to Cross Site Scripting (XSS) via index.php. | ||||
| CVE-2023-45998 | 1 Kodcloud | 1 Kodbox | 2024-11-21 | 5.4 Medium |
| kodbox 1.44 is vulnerable to Cross Site Scripting (XSS). Customizing global HTML results in storing XSS. | ||||
| CVE-2023-45992 | 1 Commscope | 1 Ruckus Cloudpath Enrollment System | 2024-11-21 | 9.6 Critical |
| A vulnerability in the web-based interface of the RUCKUS Cloudpath product on version 5.12 build 5538 or before to could allow a remote, unauthenticated attacker to execute persistent XSS and CSRF attacks against a user of the admin management interface. A successful attack, combined with a certain admin activity, could allow the attacker to gain full admin privileges on the exploited system. | ||||
| CVE-2023-45958 | 1 Thirtybees | 1 Thirty Bees | 2024-11-21 | 6.1 Medium |
| Thirty Bees Core v1.4.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the backup_pagination parameter at /controller/AdminController.php. This vulnerability allows attackers to execute arbitrary JavaScript in the web browser of a user via a crafted payload. | ||||
| CVE-2023-45957 | 1 Thirtybees | 1 Thirty Bees | 2024-11-21 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in the component admin/AdminRequestSqlController.php of thirty bees before 1.5.0 allows attackers to execute arbitrary web script or HTML via $e->getMessage() error mishandling. | ||||
| CVE-2023-45885 | 1 Nasa | 1 Openmct | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting (XSS) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to run arbitrary code via the new component feature in the flexibleLayout plugin. | ||||
| CVE-2023-45881 | 1 Gibbonedu | 1 Gibbon | 2024-11-21 | 6.1 Medium |
| GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response. | ||||
| CVE-2023-45879 | 1 Gibbonedu | 1 Gibbon | 2024-11-21 | 5.4 Medium |
| GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component. | ||||
| CVE-2023-45869 | 1 Ilias | 1 Ilias | 2024-11-21 | 9 Critical |
| ILIAS 7.25 (2023-09-12) allows any authenticated user to execute arbitrary operating system commands remotely, when a highly privileged account accesses an XSS payload. The injected commands are executed via the exec() function in the execQuoted() method of the ilUtil class (/Services/Utilities/classes/class.ilUtil.php) This allows attackers to inject malicious commands into the system, potentially compromising the integrity, confidentiality, and availability of the ILIAS installation and the underlying operating system. | ||||
| CVE-2023-45837 | 1 Xydac | 1 Ultimate Taxonomy Manager | 2024-11-21 | 7.1 High |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in XYDAC Ultimate Taxonomy Manager plugin <= 2.0 versions. | ||||
| CVE-2023-45835 | 1 Libsyn | 1 Libsyn Publisher Hub | 2024-11-21 | 7.1 High |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Libsyn Libsyn Publisher Hub plugin <= 1.4.4 versions. | ||||
| CVE-2023-45833 | 1 Leadsquared | 1 Leadsquared Suite | 2024-11-21 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in LeadSquared Suite plugin <= 0.7.4 versions. | ||||
| CVE-2023-45829 | 1 Happybox | 1 Newsletter \& Bulk Email Sender | 2024-11-21 | 6.5 Medium |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in HappyBox Newsletter & Bulk Email Sender – Email Newsletter Plugin for WordPress plugin <= 2.0.1 versions. | ||||
| CVE-2023-45819 | 1 Tiny | 1 Tinymce | 2024-11-21 | 6.1 Medium |
| TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s Notification Manager API. The vulnerability exploits TinyMCE's unfiltered notification system, which is used in error handling. The conditions for this exploit requires carefully crafted malicious content to have been inserted into the editor and a notification to have been triggered. When a notification was opened, the HTML within the text argument was displayed unfiltered in the notification. The vulnerability allowed arbitrary JavaScript execution when an notification presented in the TinyMCE UI for the current user. This issue could also be exploited by any integration which uses a TinyMCE notification to display unfiltered HTML content. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring that the HTML displayed in the notification is sanitized, preventing the exploit. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-45818 | 1 Tiny | 1 Tinymce | 2024-11-21 | 6.1 Medium |
| TinyMCE is an open source rich text editor. A mutation cross-site scripting (mXSS) vulnerability was discovered in TinyMCE’s core undo and redo functionality. When a carefully-crafted HTML snippet passes the XSS sanitisation layer, it is manipulated as a string by internal trimming functions before being stored in the undo stack. If the HTML snippet is restored from the undo stack, the combination of the string manipulation and reparative parsing by either the browser's native [DOMParser API](https://developer.mozilla.org/en-US/docs/Web/API/DOMParser) (TinyMCE 6) or the SaxParser API (TinyMCE 5) mutates the HTML maliciously, allowing an XSS payload to be executed. This vulnerability has been patched in TinyMCE 5.10.8 and TinyMCE 6.7.1 by ensuring HTML is trimmed using node-level manipulation instead of string manipulation. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-45815 | 1 Archivebox | 1 Archivebox | 2024-11-21 | 6.4 Medium |
| ArchiveBox is an open source self-hosted web archiving system. Any users who are using the `wget` extractor and view the content it outputs. The impact is potentially severe if you are logged in to the ArchiveBox admin site in the same browser session and view an archived malicious page designed to target your ArchiveBox instance. Malicious Javascript could potentially act using your logged-in admin credentials and add/remove/modify snapshots, add/remove/modify ArchiveBox users, and generally do anything an admin user could do. The impact is less severe for non-logged-in users, as malicious Javascript cannot *modify* any archives, but it can still *read* all the other archived content by fetching the snapshot index and iterating through it. Because all of ArchiveBox's archived content is served from the same host and port as the admin panel, when archived pages are viewed the JS executes in the same context as all the other archived pages (and the admin panel), defeating most of the browser's usual CORS/CSRF security protections and leading to this issue. A patch is being developed in https://github.com/ArchiveBox/ArchiveBox/issues/239. As a mitigation for this issue would be to disable the wget extractor by setting `archivebox config --set SAVE_WGET=False`, ensure you are always logged out, or serve only a [static HTML version](https://github.com/ArchiveBox/ArchiveBox/wiki/Publishing-Your-Archive#2-export-and-host-it-as-static-html) of your archive. | ||||