Export limit exceeded: 351755 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 46040 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (46040 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-43788 | 3 Redhat, Webpack, Webpack.js | 10 Cryostat, Discovery, Jboss Data Grid and 7 more | 2025-01-09 | 6.4 Medium |
| Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue. | ||||
| CVE-2024-6450 | 1 Hyperview | 1 Geoportal Toolkit | 2025-01-09 | 6.1 Medium |
| HyperView Geoportal Toolkit in versions lower than 8.5.0 is vulnerable to Reflected Cross-Site Scripting (XSS). An unauthenticated attacker might trick somebody into using a crafted URL, which will cause a script to be run in user's browser. | ||||
| CVE-2024-28106 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-09 | 4.3 Medium |
| phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. By manipulating the news parameter in a POST request, an attacker can inject malicious JavaScript code. Upon browsing to the compromised news page, the XSS payload triggers. This vulnerability is fixed in 3.2.6. | ||||
| CVE-2024-27300 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-09 | 5.5 Medium |
| phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The `email` field in phpMyFAQ's user control panel page is vulnerable to stored XSS attacks due to the inadequacy of PHP's `FILTER_VALIDATE_EMAIL` function, which only validates the email format, not its content. This vulnerability enables an attacker to execute arbitrary client-side JavaScript within the context of another user's phpMyFAQ session. This vulnerability is fixed in 3.2.6. | ||||
| CVE-2024-28175 | 2 Argoproj, Redhat | 2 Argo Cd, Openshift Gitops | 2025-01-09 | 9.1 Critical |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD. | ||||
| CVE-2024-28108 | 2 Phpmyfaq, Thorsten | 2 Phpmyfaq, Phpmyfaq | 2025-01-09 | 4.7 Medium |
| phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. _Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ._ This vulnerability is fixed in 3.2.6. | ||||
| CVE-2022-43760 | 1 Suse | 1 Rancher | 2025-01-09 | 8.4 High |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SUSE Rancher allows users in some higher-privileged groups to to inject code that is executed within another user's browser, allowing the attacker to steal sensitive information, manipulate web content, or perform other malicious activities on behalf of the victims. This could result in a user with write access to the affected areas being able to act on behalf of an administrator, once an administrator opens the affected web page. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4. | ||||
| CVE-2023-27614 | 1 Motor Racing League Project | 1 Motor Racing League | 2025-01-09 | 5.9 Medium |
| Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Ian Haycox Motor Racing League plugin <= 1.9.9 versions. | ||||
| CVE-2023-23892 | 1 M Chart Project | 1 M Chart | 2025-01-09 | 6.5 Medium |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Jamie Poitra M Chart plugin <= 1.9.4 versions. | ||||
| CVE-2022-47158 | 1 Alfred24 Click \& Collect Project | 1 Alfred24 Click \& Collect | 2025-01-09 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Pakpobox alfred24 Click & Collect plugin <= 1.1.7 versions. | ||||
| CVE-2022-47598 | 1 Wp Super Popup Project | 1 Wp Super Popup | 2025-01-09 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP Plugins Pro WP Super Popup plugin <= 1.1.2 versions. | ||||
| CVE-2022-41612 | 1 Shareaholic | 1 Similar Posts | 2025-01-09 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Shareaholic Similar Posts plugin <= 3.1.6 versions. | ||||
| CVE-2022-45837 | 1 Wpjam | 1 Wechat Robot | 2025-01-09 | 7.1 High |
| Reflected Cross-Site Scripting (XSS) vulnerability in Denis 微信机器人高级版 plugin <= 6.0.1 versions. | ||||
| CVE-2023-25710 | 1 Digitalblue | 1 Click To Call Or Chat Buttons | 2025-01-09 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DIGITALBLUE Click to Call or Chat Buttons plugin <= 1.4.0 versions. | ||||
| CVE-2023-27619 | 1 Machothemes | 1 Regina Lite | 2025-01-09 | 5.4 Medium |
| Auth (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Macho Themes Regina Lite theme <= 2.0.7 versions. | ||||
| CVE-2023-25490 | 1 Archivist - Custom Archive Templates Project | 1 Archivist - Custom Archive Templates | 2025-01-09 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Eric Teubert Archivist – Custom Archive Templates plugin <= 1.7.4 versions. | ||||
| CVE-2023-25479 | 1 Podlove | 1 Podlove Subscribe Button | 2025-01-09 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Podlove Podlove Subscribe button plugin <= 1.3.7 versions. | ||||
| CVE-2023-25484 | 1 Simple Yearly Archive Project | 1 Simple Yearly Archive | 2025-01-09 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Oliver Schlöbe Simple Yearly Archive plugin <= 2.1.8 versions. | ||||
| CVE-2022-47608 | 1 Fullworksplugins | 1 Quick Contact Form | 2025-01-09 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Fullworks Quick Contact Form plugin <= 8.0.3.1 versions. | ||||
| CVE-2023-25485 | 1 Json-content-importer | 1 Json Content Importer | 2025-01-09 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Bernhard Kux JSON Content Importer plugin <= 1.3.15 versions. | ||||