Export limit exceeded: 344866 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 45415 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45415 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-39517 | 1 Joplin Project | 1 Joplin | 2024-11-21 | 8.2 High |
| Joplin is a free, open source note taking and to-do application. A Cross site scripting (XSS) vulnerability in affected versions allows clicking on an untrusted image link to execute arbitrary shell commands. The HTML sanitizer (`packages/renderer/htmlUtils.ts::sanitizeHtml`) preserves `<map>` `<area>` links. However, unlike `<a>` links, the `target` and `href` attributes are not removed. Additionally, because the note preview pane isn't sandboxed to prevent top navigation, links with `target` set to `_top` can replace the toplevel electron page. Because any toplevel electron page, with Joplin's setup, has access to `require` and can require node libraries, a malicious replacement toplevel page can import `child_process` and execute arbitrary shell commands. This issue has been fixed in commit 7c52c3e9a81a52ef1b42a951f9deb9d378d59b0f which is included in release version 2.12.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-39437 | 1 Sap | 1 Business One | 2024-11-21 | 7.6 High |
| SAP business One allows - version 10.0, allows an attacker to insert malicious code into the content of a web page or application and gets it delivered to the client, resulting to Cross-site scripting. This could lead to harmful action affecting the Confidentiality, Integrity and Availability of the application. | ||||
| CVE-2023-39429 | 1 Furunosystems | 24 Acera 1010, Acera 1010 Firmware, Acera 1020 and 21 more | 2024-11-21 | 5.4 Medium |
| Cross-site scripting vulnerability in FURUNO SYSTEMS wireless LAN access point devices allows an authenticated user to inject an arbitrary script via a crafted configuration. Affected products and versions are as follows: ACERA 1210 firmware ver.02.36 and earlier, ACERA 1150i firmware ver.01.35 and earlier, ACERA 1150w firmware ver.01.35 and earlier, ACERA 1110 firmware ver.01.76 and earlier, ACERA 1020 firmware ver.01.86 and earlier, ACERA 1010 firmware ver.01.86 and earlier, ACERA 950 firmware ver.01.60 and earlier, ACERA 850F firmware ver.01.60 and earlier, ACERA 900 firmware ver.02.54 and earlier, ACERA 850M firmware ver.02.06 and earlier, ACERA 810 firmware ver.03.74 and earlier, and ACERA 800ST firmware ver.07.35 and earlier. They are affected when running in ST(Standalone) mode. | ||||
| CVE-2023-39422 | 1 Resortdata | 1 Internet Reservation Module Next Generation | 2024-11-21 | 6.5 Medium |
| The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticates requests using HMAC tokens. These tokens are however exposed in a JavaScript file loaded on the client side, thus rendering this extra safety mechanism useless. | ||||
| CVE-2023-39421 | 1 Resortdata | 1 Internet Reservation Module Next Generation | 2024-11-21 | 7.7 High |
| The RDPWin.dll component as used in the IRM Next Generation booking engine includes a set of hardcoded API keys for third-party services such as Twilio and Vonage. These keys allow unrestricted interaction with these services. | ||||
| CVE-2023-39420 | 1 Resortdata | 1 Internet Reservation Module Next Generation | 2024-11-21 | 9.9 Critical |
| The RDPCore.dll component as used in the IRM Next Generation booking engine, allows a remote user to connect to customers with an "admin" account and a corresponding password computed daily by a routine inside the DLL file. Once reverse-engineered, this routine can help an attacker generate the daily password and connect to application customers. Given that this is an administrative account, anyone logging into a customer deployment has full, unrestricted access to the application. | ||||
| CVE-2023-39370 | 1 Startrinity | 1 Softswitch | 2024-11-21 | 8.8 High |
| StarTrinity Softswitch version 2023-02-16 - Persistent XSS (CWE-79) | ||||
| CVE-2023-39369 | 1 Startrinity | 1 Softswitch | 2024-11-21 | 8.8 High |
| StarTrinity Softswitch version 2023-02-16 - Multiple Reflected XSS (CWE-79) | ||||
| CVE-2023-39314 | 1 Te-st | 1 Leyka | 2024-11-21 | 7.1 High |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Teplitsa of social technologies Leyka plugin <= 3.30.2 versions. | ||||
| CVE-2023-39266 | 2 Arubanetworks, Hpe | 11 Aruba 2530, Aruba 2530ya, Aruba 2530yb and 8 more | 2024-11-21 | 8.3 High |
| A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. | ||||
| CVE-2023-39208 | 1 Zoom | 1 Zoom | 2024-11-21 | 6.5 Medium |
| Improper input validation in Zoom Desktop Client for Linux before version 5.15.10 may allow an unauthenticated user to conduct a denial of service via network access. | ||||
| CVE-2023-39175 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 4.6 Medium |
| In JetBrains TeamCity before 2023.05.2 reflected XSS via GitHub integration was possible | ||||
| CVE-2023-39164 | 1 Amitzy | 1 Molongui | 2024-11-21 | 7.1 High |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Molongui Author Box for Authors, Co-Authors, Multiple Authors and Guest Authors – Molongui plugin <= 4.6.19 versions. | ||||
| CVE-2023-39162 | 1 Xlplugins | 1 Woo-confirmation-email | 2024-11-21 | 7.1 High |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in XLPlugins User Email Verification for WooCommerce plugin <= 3.5.0 versions. | ||||
| CVE-2023-39151 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 5.4 Medium |
| Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. | ||||
| CVE-2023-39097 | 1 Webboss | 1 Webboss.io Cms | 2024-11-21 | 5.4 Medium |
| WebBoss.io CMS v3.7.0.1 contains a stored cross-site scripting (XSS) vulnerability. | ||||
| CVE-2023-39096 | 1 Webboss | 1 Webboss.io Cms | 2024-11-21 | 5.4 Medium |
| WebBoss.io CMS v3.7.0.1 contains a stored Cross-Site Scripting (XSS) vulnerability due to lack of input validation and output encoding. | ||||
| CVE-2023-39094 | 1 Zerowdd | 1 Studentmanager | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting vulnerability in ZeroWdd studentmanager v.1.0 allows a remote attacker to execute arbitrary code via the username parameter in the student list function. | ||||
| CVE-2023-39067 | 1 Zlmediakit | 1 Zlmediakit | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting vulnerability in ZLMediaKiet v.4.0 and v.5.0 allows an attacker to execute arbitrary code via a crafted script to the URL. | ||||
| CVE-2023-39062 | 1 Html2pdf Project | 1 Html2pdf | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting vulnerability in Spipu HTML2PDF before v.5.2.8 allows a remote attacker to execute arbitrary code via a crafted script to the forms.php. | ||||