Export limit exceeded: 352051 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46090 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2155 | 1 Air Cargo Management System Project | 1 Air Cargo Management System | 2025-02-05 | 2.4 Low |
| A vulnerability was found in SourceCodester Air Cargo Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file classes/Master.php?f=save_cargo_type. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-226276. | ||||
| CVE-2023-27777 | 1 Online Jewelry Shop Project | 1 Online Jewelry Shop | 2025-02-05 | 5.4 Medium |
| Cross-site scripting (XSS) vulnerability was discovered in Online Jewelry Shop v1.0 that allows attackers to execute arbitrary script via a crafted URL. | ||||
| CVE-2023-27776 | 1 Online Jewelry Shop Project | 1 Online Jewelry Shop | 2025-02-05 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in /index.php?page=category_list of Online Jewelry Shop v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter. | ||||
| CVE-2022-2507 | 1 Octopus | 1 Octopus Server | 2025-02-05 | 5.3 Medium |
| In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage | ||||
| CVE-2023-1767 | 1 Snyk | 1 Advisor | 2025-02-05 | 4.3 Medium |
| The Snyk Advisor website (https://snyk.io/advisor/) was vulnerable to a stored XSS prior to 28th March 2023. A feature of Snyk Advisor is to display the contents of a scanned package's Readme on its package health page. An attacker could create a package in NPM with an associated markdown README file containing XSS-able HTML tags. Upon Snyk Advisor importing the package, the XSS would run each time an end user browsed to the package's page on Snyk Advisor. | ||||
| CVE-2023-23938 | 1 Enalean | 1 Tuleap | 2025-02-05 | 5.9 Medium |
| Tuleap is a Free & Source tool for end to end traceability of application and system developments. Affected versions are subject to a cross site scripting attack which can be injected in the name of a color of select box values of a tracker and then reflected in the tracker administration. Administrative privilege is required, but an attacker with tracker administration rights could use this vulnerability to force a victim to execute uncontrolled code in the context of their browser. This issue has been addressed in Tuleap Community Edition version 14.5.99.4. Users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2023-27090 | 1 Teacms Project | 1 Teacms | 2025-02-05 | 5.4 Medium |
| Cross Site Scripting vulnerability found in TeaCMS storage allows attacker to cause a leak of sensitive information via the article title parameter. | ||||
| CVE-2022-48150 | 1 Shopware | 1 Shopware | 2025-02-05 | 6.1 Medium |
| Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability via the recovery/install/ URI. | ||||
| CVE-2023-2191 | 1 Azuracast | 1 Azuracast | 2025-02-05 | 4.8 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository azuracast/azuracast prior to 0.18. | ||||
| CVE-2023-22309 | 1 Tribe29 | 1 Checkmk Appliance Firmware | 2025-02-04 | 6.1 Medium |
| Reflective Cross-Site-Scripting in Webconf in Tribe29 Checkmk Appliance before 1.6.4. | ||||
| CVE-2023-29528 | 1 Xwiki | 1 Commons | 2025-02-04 | 9.1 Critical |
| XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don't start with `>`. There are no known workarounds apart from upgrading to a version including the fix. | ||||
| CVE-2023-0542 | 1 Blackbirdi | 1 Custom Post Type List Shortcode | 2025-02-04 | 5.4 Medium |
| The Custom Post Type List Shortcode WordPress plugin through 1.4.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2023-0514 | 1 Membership Database Project | 1 Membership Database | 2025-02-04 | 6.1 Medium |
| The Membership Database WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2023-0280 | 1 Topdigitaltrends | 1 Ultimate Carousel For Elementor | 2025-02-04 | 5.4 Medium |
| The Ultimate Carousel For Elementor WordPress plugin through 2.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2022-47509 | 1 Solarwinds | 1 Orion Platform | 2025-02-04 | 6.1 Medium |
| The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML. | ||||
| CVE-2023-2139 | 1 3ds | 1 Delmia Apriso | 2025-02-04 | 5.4 Medium |
| A reflected Cross-site Scripting (XSS) Vulnerability in DELMIA Apriso Release 2017 through Release 2022 allows an attacker to execute arbitrary script code. | ||||
| CVE-2023-0948 | 1 Artisanworkshop | 1 Japanized For Woocommerce | 2025-02-04 | 6.1 Medium |
| The Japanized For WooCommerce WordPress plugin before 2.5.8 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting | ||||
| CVE-2023-1875 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-02-04 | 5.4 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12. | ||||
| CVE-2023-30788 | 1 Monicahq | 1 Monica | 2025-02-04 | 5.4 Medium |
| MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people/add` endpoint and nickName, description, lastName, middleName and firstName parameter. | ||||
| CVE-2022-45291 | 1 Pwsdashboard | 1 Personal Weather Station Dashboard | 2025-02-04 | 7.2 High |
| PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022. | ||||