Export limit exceeded: 351143 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 351143 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45963 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-46491 | 1 Zentao | 1 Biz | 2024-11-21 | 6.1 Medium |
| ZenTao Biz version 4.1.3 and before has a Cross Site Scripting (XSS) vulnerability in the Version Library. | ||||
| CVE-2023-46483 | 1 Timeteccloud | 1 Auto Web-based Database Management System | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting vulnerability in timetec AWDMS v.2.0 allows an attacker to obtain sensitive information via a crafted payload to the remark parameter of the New Zone function. | ||||
| CVE-2023-46475 | 1 Easycorp | 1 Zentao | 2024-11-21 | 5.4 Medium |
| A Stored Cross-Site Scripting vulnerability was discovered in ZenTao 18.3 where a user can create a project, and in the name field of the project, they can inject malicious JavaScript code. | ||||
| CVE-2023-46470 | 1 Spaceapplications | 1 Yacms | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting vulnerability in Space Applications Services Yamcs v.5.8.6 allows a remote attacker to execute arbitrary code via crafted telecommand in the timeline view of the ArchiveBrowser. | ||||
| CVE-2023-46467 | 1 Juzaweb | 1 Cms | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting vulnerability in juzawebCMS v.3.4 and before allows a remote attacker to execute arbitrary code via a crafted payload to the username parameter of the registration page. | ||||
| CVE-2023-46451 | 1 Mayurik | 1 Best Courier Management System | 2024-11-21 | 5.4 Medium |
| Best Courier Management System v1.0 is vulnerable to Cross Site Scripting (XSS) in the change username field. | ||||
| CVE-2023-46450 | 1 Mayurik | 1 Inventory Management System | 2024-11-21 | 5.4 Medium |
| Sourcecodester Free and Open Source inventory management system 1.0 is vulnerable to Cross Site Scripting (XSS) via the Add supplier function. | ||||
| CVE-2023-46448 | 1 Dmpop | 1 Mejiro | 2024-11-21 | 6.1 Medium |
| Reflected Cross-Site Scripting (XSS) vulnerability in dmpop Mejiro Commit Versions Prior To 3096393 allows attackers to run arbitrary code via crafted string in metadata of uploaded images. | ||||
| CVE-2023-46396 | 1 Web-audimex | 1 Audimex | 2024-11-21 | 5.4 Medium |
| Audimex 15.0.0 is vulnerable to Cross Site Scripting (XSS) in /audimex/cgi-bin/wal.fcgi via company parameter search filters. | ||||
| CVE-2023-46394 | 1 Gougucms | 1 Gougucms | 2024-11-21 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability in /home/user/edit_submit of gougucms v4.08.18 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the headimgurl parameter. | ||||
| CVE-2023-46378 | 1 1234n | 1 Minicms | 2024-11-21 | 5.4 Medium |
| Stored Cross Site Scripting (XSS) vulnerability in MiniCMS 1.1.1 allows attackers to run arbitrary code via crafted string appended to /mc-admin/conf.php. | ||||
| CVE-2023-46374 | 1 Zentao | 1 Biz | 2024-11-21 | 6.1 Medium |
| ZenTao Enterprise Edition version 4.1.3 and before is vulnerable to Cross Site Scripting (XSS). | ||||
| CVE-2023-46252 | 1 Squidex.io | 1 Squidex | 2024-11-21 | 6.8 Medium |
| Squidex is an open source headless CMS and content management hub. Affected versions are missing origin verification in a postMessage handler which introduces a Cross-Site Scripting (XSS) vulnerability. The editor-sdk.js file defines three different class-like functions, which employ a global message event listener: SquidexSidebar, SquidexWidget, and SquidexFormField. The registered event listener takes some action based on the type of the received message. For example, when the SquidexFormField receives a message with the type valueChanged, the value property is updated. The SquidexFormField class is for example used in the editor-editorjs.html file, which can be accessed via the public wwwroot folder. It uses the onValueChanged method to register a callback function, which passes the value provided from the message event to the editor.render. Passing an attacker-controlled value to this function introduces a Cross-Site Scripting (XSS) vulnerability. | ||||
| CVE-2023-46251 | 1 Mybb | 1 Mybb | 2024-11-21 | 7.5 High |
| MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP → Configuration → Settings → Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP → Your Profile → Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit `6dcaf0b4d`. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (_Admin CP → Configuration → Settings_): - _Clickable Smilies and BB Code → [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (_User CP → Your Profile → Edit Options_) _Show the MyCode formatting options on the posting pages_. | ||||
| CVE-2023-46238 | 1 Zitadel | 1 Zitadel | 2024-11-21 | 8.7 High |
| ZITADEL is an identity infrastructure management system. ZITADEL users can upload their own avatar image using various image types including SVG. SVG can include scripts, such as javascript, which can be executed during rendering. Due to a missing security header, an attacker could inject code to an SVG to gain access to the victim’s account in certain scenarios. A victim would need to directly open the malicious image in the browser, where a single session in ZITADEL needs to be active for this exploit to work. If the possible victim had multiple or no active sessions in ZITADEL, the attack would not succeed. This issue has been patched in version 2.39.2 and 2.38.2. | ||||
| CVE-2023-46235 | 1 Fogproject | 1 Fogproject | 2024-11-21 | 5.4 Medium |
| FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Prior to version 1.5.10.15, due to a lack of request sanitization in the logs, a malicious request containing XSS would be stored in a log file. When an administrator of the FOG server logged in and viewed the logs, they would be parsed as HTML and displayed accordingly. Version 1.5.10.15 contains a patch. As a workaround, view logs from an external text editor rather than the dashboard. | ||||
| CVE-2023-46182 | 1 Ibm | 1 Sterling Secure Proxy | 2024-11-21 | 5.4 Medium |
| IBM Sterling Secure Proxy 6.0.3 and 6.1.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 269692. | ||||
| CVE-2023-46174 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2024-11-21 | 5.4 Medium |
| IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 269506. | ||||
| CVE-2023-46134 | 1 Man | 1 D-tale | 2024-11-21 | 6.1 Medium |
| D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users. | ||||
| CVE-2023-46127 | 1 Frappe | 1 Frappe | 2024-11-21 | 5.4 Medium |
| Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and an integrated client side library. A malicious Frappe user with desk access could create documents containing HTML payloads allowing HTML Injection. This vulnerability has been patched in version 14.49.0. | ||||