Total
28117 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-22168 | 2024-06-25 | N/A | N/A | ||
| A Cross-Site Scripting (XSS) vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s browser session to carry out malicious activities.The web apps for these devices have been automatically updated to resolve this vulnerability and improve the security of your devices and data. | |||||
| CVE-2024-34141 | 2024-06-25 | N/A | 5.4 MEDIUM | ||
| Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2024-34142 | 2024-06-25 | N/A | 5.4 MEDIUM | ||
| Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2024-2484 | 1 Themeisle | 1 Orbit Fox | 2024-06-24 | N/A | 5.4 MEDIUM |
| The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post Type Grid widgets in all versions up to, and including, 2.10.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-4313 | 1 Fusionplugin | 1 Table Addons For Elementor | 2024-06-24 | N/A | 5.4 MEDIUM |
| The Table Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5346 | 1 Uxthemes | 1 Flatsome | 2024-06-24 | N/A | 5.4 MEDIUM |
| The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Video, UX Slider, UX Sidebar, and UX Payment Icons shortcodes in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5791 | 1 Vcita | 1 Online Booking \& Scheduling Calendar For Wordpress By Vcita | 2024-06-24 | N/A | 6.1 MEDIUM |
| The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_id' parameter in all versions up to, and including, 4.4.2 due to missing authorization checks on processAction function, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a wp-admin dashboard. | |||||
| CVE-2024-5965 | 1 Wildweblab | 1 Mosaic | 2024-06-24 | N/A | 5.4 MEDIUM |
| The Mosaic theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-5966 | 1 Grey Opaque Project | 1 Grey Opaque | 2024-06-24 | N/A | 5.4 MEDIUM |
| The Grey Opaque theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Download-Button shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-21515 | 1 Opencart | 1 Opencart | 2024-06-24 | N/A | 4.7 MEDIUM |
| This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login and redirected again upon authentication with the payload automatically executing. If the attacked user has admin privileges, this vulnerability could be used as the start of a chain of exploits like Zip Slip or arbitrary file write vulnerabilities in the admin functionality. **Notes:** 1) This is only exploitable if the attacker knows the name or path of the admin directory. The name of the directory is "admin" by default but there is a pop-up in the dashboard warning users to rename it. 2) The fix for this vulnerability is incomplete. The redirect is removed so that it is not possible for an attacker to control the redirect post admin login anymore, but it is still possible to exploit this issue in admin if the user is authenticated as an admin already. | |||||
| CVE-2024-21517 | 1 Opencart | 1 Opencart | 2024-06-24 | N/A | 6.1 MEDIUM |
| This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account functionality it could be used to target and attack customers of the OpenCart shop. **Notes:** 1) The fix for this vulnerability is incomplete | |||||
| CVE-2024-37675 | 1 Tessi | 1 Docubase | 2024-06-24 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the parameter "sectionContent" related to the functionality of adding notes to an uploaded file. | |||||
| CVE-2024-37672 | 1 Tessi | 1 Docubase | 2024-06-24 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the idactivity parameter. | |||||
| CVE-2024-37671 | 1 Tessi | 1 Docubase | 2024-06-24 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability in Tessi Docubase Document Management product 5.x allows a remote attacker to execute arbitrary code via the page parameter. | |||||
| CVE-2024-4616 | 1 Devnath Verma | 1 Widget Bundle | 2024-06-24 | N/A | 6.1 MEDIUM |
| The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users | |||||
| CVE-2024-4970 | 1 Devnath Verma | 1 Widget Bundle | 2024-06-24 | N/A | 4.8 MEDIUM |
| The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-5191 | 1 Wpmudev | 1 Branda | 2024-06-24 | N/A | 5.4 MEDIUM |
| The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-35768 | 1 Livecomposerplugin | 1 Live-composer-page-builder | 2024-06-24 | N/A | 4.8 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.42. | |||||
| CVE-2024-35766 | 1 Wp-pizza | 1 Wppizza | 2024-06-24 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS.This issue affects WPPizza: from n/a through 3.18.13. | |||||
| CVE-2024-5945 | 1 Kubiq | 1 Wp Svg Images | 2024-06-24 | N/A | 5.4 MEDIUM |
| The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 4.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with Author-level access and above, who have permissions to upload sanitized files, to bypass SVG sanitization and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||