Total
28117 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-28722 | 2024-07-03 | N/A | 6.3 MEDIUM | ||
| Cross Site Scripting vulnerability in Innovaphone myPBX v.14r1, v.13r3, v.12r2 allows a remote attacker to execute arbitrary code via the query parameter to the /CMD0/xml_modes.xml endpoint | |||||
| CVE-2024-28063 | 2024-07-03 | N/A | 6.1 MEDIUM | ||
| Kiteworks Totemomail through 7.0.0 allows /responsiveUI/EnvelopeOpenServlet envelopeRecipient reflected XSS. | |||||
| CVE-2024-27794 | 2024-07-03 | N/A | 4.3 MEDIUM | ||
| Claris FileMaker Server before version 20.3.2 was susceptible to a reflected Cross-Site Scripting vulnerability due to an improperly handled parameter in the FileMaker WebDirect login endpoint. The vulnerability was resolved in FileMaker Server 20.3.2 by escaping the HTML contents of the login error message on the login page. | |||||
| CVE-2024-27752 | 2024-07-03 | N/A | 5.4 MEDIUM | ||
| Cross Site Scripting vulnerability in CSZ CMS v.1.3.0 allows a remote attacker to execute arbitrary code via the Default Keyword field in the settings function. | |||||
| CVE-2024-27593 | 2024-07-03 | N/A | 5.4 MEDIUM | ||
| A stored cross-site scripting (XSS) vulnerability in the Filter function of Eramba Version 3.22.3 Community Edition allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the filter name field. This vulnerability has been fixed in version 3.23.0. | |||||
| CVE-2024-27314 | 2024-07-03 | N/A | 2.4 LOW | ||
| Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users. | |||||
| CVE-2024-25297 | 1 Bludit | 1 Bludit | 2024-07-03 | N/A | 4.8 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Bludit CMS version 3.15, allows remote attackers to execute arbitrary code and obtain sensitive information via edit-content.php. | |||||
| CVE-2024-24157 | 2024-07-03 | N/A | N/A | ||
| Gnuboard g6 / https://github.com/gnuboard/g6 commit c2cc1f5069e00491ea48618d957332d90f6d40e4 is vulnerable to Cross Site Scripting (XSS) via board.py. | |||||
| CVE-2024-24130 | 1 Mail2world | 1 Mail2world | 2024-07-03 | N/A | 6.1 MEDIUM |
| Mail2World v12 Business Control Center was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Usr parameter at resellercenter/login.asp. | |||||
| CVE-2024-23188 | 2024-07-03 | N/A | 6.5 MEDIUM | ||
| Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding attachment information to the web interface. No publicly available exploits are known. | |||||
| CVE-2024-21516 | 1 Opencart | 1 Opencart | 2024-07-03 | N/A | 4.7 MEDIUM |
| This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login and redirected again upon authentication with the payload automatically executing. If the attacked user has admin privileges, this vulnerability could be used as the start of a chain of exploits like Zip Slip or arbitrary file write vulnerabilities in the admin functionality. **Notes:** 1) This is only exploitable if the attacker knows the name or path of the admin directory. The name of the directory is "admin" by default but there is a pop-up in the dashboard warning users to rename it. 2) The fix for this vulnerability is incomplete. The redirect is removed so that it is not possible for an attacker to control the redirect post admin login anymore, but it is still possible to exploit this issue in admin if the user is authenticated as an admin already. | |||||
| CVE-2024-20258 | 2024-07-03 | N/A | 6.1 MEDIUM | ||
| A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager and Secure Email Gateway could allow an unauthenticated, remote attacker to conduct an XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user of an affected interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2024-1743 | 2024-07-03 | N/A | 5.9 MEDIUM | ||
| The WooCommerce Customers Manager WordPress plugin before 29.8 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-1219 | 2024-07-03 | N/A | 5.3 MEDIUM | ||
| The Easy Social Feed WordPress plugin before 6.5.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin | |||||
| CVE-2023-49111 | 2024-07-03 | N/A | 6.5 MEDIUM | ||
| For Kiuwan installations with SSO (single sign-on) enabled, an unauthenticated reflected cross-site scripting attack can be performed on the login page "login.html". This is possible due to the request parameter "message" values being directly included in a JavaScript block in the response. This is especially critical in business environments using AD SSO authentication, e.g. via ADFS, where attackers could potentially steal AD passwords. This issue affects Kiuwan SAST: <master.1808.p685.q13371 | |||||
| CVE-2023-45707 | 2024-07-03 | N/A | 4.4 MEDIUM | ||
| HCL Connections Docs is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary code. This may lead to credentials disclosure and possibly launch additional attacks. | |||||
| CVE-2023-45360 | 1 Mediawiki | 1 Mediawiki | 2024-07-03 | N/A | 5.4 MEDIUM |
| An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. There is XSS in youhavenewmessagesmanyusers and youhavenewmessages i18n messages. This is related to MediaWiki:Youhavenewmessagesfromusers. | |||||
| CVE-2023-43770 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2024-07-03 | N/A | 6.1 MEDIUM |
| Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. | |||||
| CVE-2023-42427 | 2024-07-03 | N/A | 6.5 MEDIUM | ||
| Cross-site scripting vulnerability exists in UNIVERSAL PASSPORT RX versions 1.0.0 to 1.0.7, which may allow a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is using the product. | |||||
| CVE-2023-30394 | 1 Moveit | 1 Moveit | 2024-07-03 | N/A | 6.1 MEDIUM |
| The MoveIt framework 1.1.11 for ROS allows cross-site scripting (XSS) via the API authentication function. | |||||