Export limit exceeded: 351070 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 45960 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45960 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-46858 | 1 Moodle | 1 Moodle | 2024-11-21 | 5.4 Medium |
| Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers to enhance their courses ... admins and teachers can post XSS-capable content, but students can not." | ||||
| CVE-2023-46857 | 1 Squidex.io | 1 Squidex | 2024-11-21 | 5.4 Medium |
| Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for exploitation. | ||||
| CVE-2023-46854 | 1 Proxmox | 1 Proxmox-widget-toolkit | 2024-11-21 | 5.4 Medium |
| Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple Proxmox products, allows XSS via the edit notes feature. | ||||
| CVE-2023-46744 | 1 Squidex.io | 1 Squidex | 2024-11-21 | 5.4 Medium |
| Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Scripting (XSS) vulnerability enables privilege escalation of authenticated users. The SVG element filtering mechanism intended to stop XSS attacks through uploaded SVG images, is insufficient resulting to stored XSS attacks. Squidex allows the CMS contributors to be granted the permission of uploading an SVG asset. When the asset is uploaded, a filtering mechanism is performed to validate that the SVG does not contain malicious code. The validation logic consists of traversing the HTML nodes in the DOM. In order for the validation to succeed, 2 conditions must be met: 1. No HTML tags included in a "blacklist" called "InvalidSvgElements" are present. This list only contains the element "script". and 2. No attributes of HTML tags begin with "on" (i.e. onerror, onclick) (line 65). If either of the 2 conditions is not satisfied, validation fails and the file/asset is not uploaded. However it is possible to bypass the above filtering mechanism and execute arbitrary JavaScript code by introducing other HTML elements such as an <iframe> element with a "src" attribute containing a "javascript:" value. Authenticated adversaries with the "assets.create" permission, can leverage this vulnerability to upload a malicious SVG as an asset, targeting any registered user that will attempt to open/view the asset through the Squidex CMS. | ||||
| CVE-2023-46735 | 1 Sensiolabs | 1 Symfony | 2024-11-21 | 6.1 Medium |
| Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now doesn't return any user-submitted input in its response. | ||||
| CVE-2023-46732 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 9.7 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to reflected cross-site scripting (RXSS) via the `rev` parameter that is used in the content of the content menu without escaping. If an attacker can convince a user to visit a link with a crafted parameter, this allows the attacker to execute arbitrary actions in the name of the user, including remote code (Groovy) execution in the case of a user with programming right, compromising the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.6 RC1, 15.5.1 and 14.10.14. The patch in commit `04e325d57` can be manually applied without upgrading (or restarting) the instance. Users are advised to upgrade or to manually apply the patch. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-46722 | 1 Pimcore | 1 Admin Classic Bundle | 2024-11-21 | 6.1 Medium |
| The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 1.2.0 to receive a patch or, as a workaround, apply the patch manually. | ||||
| CVE-2023-46711 | 1 Buffalo | 2 Vr-s1000, Vr-s1000 Firmware | 2024-11-21 | 4.6 Medium |
| VR-S1000 firmware Ver. 2.37 and earlier uses a hard-coded cryptographic key which may allow an attacker to analyze the password of a specific product user. | ||||
| CVE-2023-46706 | 1 Machinesense | 2 Feverwarn, Feverwarn Firmware | 2024-11-21 | 9.1 Critical |
| Multiple MachineSense devices have credentials unable to be changed by the user or administrator. | ||||
| CVE-2023-46693 | 1 Formalms | 1 Formalms | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in FormaLMS before 4.0.5 allows attackers to run arbitrary code via title parameters. | ||||
| CVE-2023-46583 | 1 Phpgurukul | 1 Nipah Virus Testing Management System | 2024-11-21 | 6.1 Medium |
| Cross-Site Scripting (XSS) vulnerability in PHPGurukul Nipah virus (NiV) " Testing Management System v.1.0 allows attackers to execute arbitrary code via a crafted payload injected into the State field. | ||||
| CVE-2023-46580 | 1 Code-projects | 1 Inventory Management | 2024-11-21 | 5.4 Medium |
| Cross-Site Scripting (XSS) vulnerability in Inventory Management V1.0 allows attackers to execute arbitrary code via the pname parameter of the editProduct.php component. | ||||
| CVE-2023-46505 | 1 Pwncyn | 1 Fancms | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting vulnerability in FanCMS v.1.0.0 allows an attacker to execute arbitrary code via the content1 parameter in the demo.php file. | ||||
| CVE-2023-46504 | 1 Pwncyn | 1 Yxbookcms | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting (XSS) vulnerability in PwnCYN YXBOOKCMS v.1.0.2 allows a physically proximate attacker to execute arbitrary code via the library name function in the general settings component. | ||||
| CVE-2023-46503 | 1 Pwncyn | 1 Yxbookcms | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in PwnCYN YXBOOKCMS v.1.0.2 allows a remote attacker to execute arbitrary code via the reader management and book input modules. | ||||
| CVE-2023-46495 | 1 Evershop | 1 Evershop | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting vulnerability in EverShop NPM versions before v.1.0.0-rc.8 allows a remote attacker to obtain sensitive information via a crafted request to the sortBy parameter. | ||||
| CVE-2023-46492 | 1 Mldb | 1 Machine Learning Database | 2024-11-21 | 6.1 Medium |
| Cross Site Scripting vulnerability in MLDB.ai v.2017.04.17.0 allows a remote attacker to execute arbitrary code via a crafted payload to the public_html/doc/index.html. | ||||
| CVE-2023-46491 | 1 Zentao | 1 Biz | 2024-11-21 | 6.1 Medium |
| ZenTao Biz version 4.1.3 and before has a Cross Site Scripting (XSS) vulnerability in the Version Library. | ||||
| CVE-2023-46483 | 1 Timeteccloud | 1 Auto Web-based Database Management System | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting vulnerability in timetec AWDMS v.2.0 allows an attacker to obtain sensitive information via a crafted payload to the remark parameter of the New Zone function. | ||||
| CVE-2023-46475 | 1 Easycorp | 1 Zentao | 2024-11-21 | 5.4 Medium |
| A Stored Cross-Site Scripting vulnerability was discovered in ZenTao 18.3 where a user can create a project, and in the name field of the project, they can inject malicious JavaScript code. | ||||