Total
28117 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-32981 | 2024-07-18 | N/A | 5.4 MEDIUM | ||
| Silverstripe framework is the PHP framework forming the base for the Silverstripe CMS. In affected versions a bad actor with access to edit content in the CMS could add send a specifically crafted encoded payload to the server, which could be used to inject a JavaScript payload on the front end of the site. The payload would be sanitised on the client-side, but server-side sanitisation doesn't catch it. The server-side sanitisation logic has been updated to sanitise against this type of attack in version 5.2.16. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-38870 | 2024-07-18 | N/A | 3.5 LOW | ||
| Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and OpManager Enterprise Edition versions before 128104, from 128151 before 128238, from 128247 before 128250 are vulnerable to Stored XSS vulnerability in reports module. | |||||
| CVE-2024-28796 | 2024-07-18 | N/A | 6.4 MEDIUM | ||
| IBM ClearQuest (CQ) 9.1 through 9.1.0.6 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 286833. | |||||
| CVE-2022-32533 | 1 Apache | 1 Jetspeed | 2024-07-17 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue | |||||
| CVE-2024-35709 | 1 Posimyth | 1 The Plus Addons For Elementor | 2024-07-17 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows Stored XSS.This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 5.5.4. | |||||
| CVE-2024-35266 | 1 Microsoft | 1 Azure Devops Server | 2024-07-17 | N/A | 7.6 HIGH |
| Azure DevOps Server Spoofing Vulnerability | |||||
| CVE-2024-35267 | 1 Microsoft | 1 Azure Devops Server | 2024-07-17 | N/A | 7.6 HIGH |
| Azure DevOps Server Spoofing Vulnerability | |||||
| CVE-2024-5686 | 1 Wpzoom | 1 Wpzoom Addons For Elementor | 2024-07-17 | N/A | 5.4 MEDIUM |
| The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Team Members widget in all versions up to, and including, 1.1.38 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-6076 | 1 Tipsandtricks-hq | 1 Wp Estore | 2024-07-17 | N/A | 6.1 MEDIUM |
| The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-6074 | 1 Tipsandtricks-hq | 1 Wp Estore | 2024-07-17 | N/A | 6.1 MEDIUM |
| The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-6073 | 1 Tipsandtricks-hq | 1 Wp Estore | 2024-07-17 | N/A | 6.1 MEDIUM |
| The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-6072 | 1 Tipsandtricks-hq | 1 Wp Estore | 2024-07-17 | N/A | 6.1 MEDIUM |
| The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | |||||
| CVE-2024-5344 | 1 Posimyth | 1 The Plus Addons For Elementor | 2024-07-17 | N/A | 6.1 MEDIUM |
| The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘forgoturl’ attribute within the plugin's WP Login & Register widget in all versions up to, and including, 5.5.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-4384 | 1 Dmonnier | 1 Cssable Countdown | 2024-07-17 | N/A | 4.8 MEDIUM |
| The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-4381 | 1 Wielebenwir | 1 Commonsbooking | 2024-07-17 | N/A | 4.8 MEDIUM |
| The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-4377 | 1 Dotonpaper | 1 Dot On Paper Shortcodes | 2024-07-17 | N/A | 5.4 MEDIUM |
| The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2024-6742 | 1 Space Management System Project | 1 Space Management System | 2024-07-16 | N/A | 5.4 MEDIUM |
| AguardNet Technology's Space Management System does not properly filter user input, allowing remote attackers with regular privileges to inject JavaScript and perform Reflected Cross-site scripting attacks. | |||||
| CVE-2024-6740 | 1 Openfind | 1 Mail2000 | 2024-07-16 | N/A | 6.1 MEDIUM |
| Openfind's Mail2000 does not properly validate email atachments, allowing unauthenticated remote attackers to inject JavaScript code within the attachment and perform Stored Cross-site scripting attacks. | |||||
| CVE-2024-6739 | 1 Openfind | 2 Mailaudit, Mailgates | 2024-07-16 | N/A | 6.1 MEDIUM |
| The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS. | |||||
| CVE-2024-40626 | 2024-07-16 | N/A | 7.3 HIGH | ||
| Outline is an open source, collaborative document editor. A type confusion issue was found in ProseMirror’s rendering process that leads to a Stored Cross-Site Scripting (XSS) vulnerability in Outline. An authenticated user can create a document containing a malicious JavaScript payload. When other users view this document, the malicious Javascript can execute in the origin of Outline. Outline includes CSP rules to prevent third-party code execution, however in the case of self-hosting and having your file storage on the same domain as Outline a malicious payload can be uploaded as a file attachment and bypass those CSP restrictions. This issue has been addressed in release version 0.77.3. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||