Export limit exceeded: 45912 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45912 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-37501 | 1 Hcltech | 1 Unica | 2024-11-21 | 8.1 High |
| A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign. An attacker could hijack a user's session and perform other attacks. | ||||
| CVE-2023-37500 | 1 Hcltech | 1 Unica | 2024-11-21 | 8.1 High |
| A Persistent Cross-site Scripting (XSS) vulnerability can be carried out on certain pages of Unica Platform. An attacker could hijack a user's session and perform other attacks. | ||||
| CVE-2023-37499 | 1 Hcltech | 1 Unica | 2024-11-21 | 8.1 High |
| A Persistent Cross-site Scripting (XSS) vulnerability can be carried out in a certain field of the Unica Platform. An attacker could hijack a user's session and perform other attacks. | ||||
| CVE-2023-37496 | 1 Hcltech | 1 Verse | 2024-11-21 | 8.3 High |
| HCL Verse is susceptible to a Stored Cross Site Scripting (XSS) vulnerability. An attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information. | ||||
| CVE-2023-37488 | 1 Sap | 1 Netweaver Process Integration | 2024-11-21 | 6.1 Medium |
| In SAP NetWeaver Process Integration - versions SAP_XIESR 7.50, SAP_XITOOL 7.50, SAP_XIAF 7.50, user-controlled inputs, if not sufficiently encoded, could result in Cross-Site Scripting (XSS) attack. On successful exploitation the attacker can cause limited impact on confidentiality and integrity of the system. | ||||
| CVE-2023-37467 | 1 Discourse | 1 Discourse | 2024-11-21 | 6.8 Medium |
| Discourse is an open source discussion platform. Prior to version 3.1.0.beta7 of the `beta` and `tests-passed` branches, a CSP (Content Security Policy) nonce reuse vulnerability was discovered could allow cross-site scripting (XSS) attacks to bypass CSP protection for anonymous (i.e. unauthenticated) users. There are no known XSS vectors at the moment, but should one be discovered, this vulnerability would allow the XSS attack to bypass CSP and execute successfully. This vulnerability isn't applicable to logged-in users. Version 3.1.0.beta7 contains a patch. The stable branch doesn't have this vulnerability. A workaround to prevent the vulnerability is to disable Google Tag Manager, i.e., unset the `gtm container id` setting. | ||||
| CVE-2023-37439 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | 6.1 Medium |
| Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host. | ||||
| CVE-2023-37426 | 2 Arubanetworks, Hpe | 2 Edgeconnect Sd-wan Orchestrator, Edgeconnect Sd-wan Orchestrator | 2024-11-21 | 7.4 High |
| EdgeConnect SD-WAN Orchestrator instances prior to the versions resolved in this advisory were found to have shared static SSH host keys for all installations. This vulnerability could allow an attacker to spoof the SSH host signature and thereby masquerade as a legitimate Orchestrator host. | ||||
| CVE-2023-37425 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | 8 High |
| A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. | ||||
| CVE-2023-37423 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | 8.1 High |
| Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. | ||||
| CVE-2023-37422 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | 8.1 High |
| Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. | ||||
| CVE-2023-37421 | 1 Arubanetworks | 1 Edgeconnect Sd-wan Orchestrator | 2024-11-21 | 8.1 High |
| Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface. | ||||
| CVE-2023-37393 | 1 Atarim | 1 Atarim | 2024-11-21 | 7.1 High |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Atarim Visual Website Collaboration, Feedback & Project Management – Atarim plugin <= 3.9.3 versions. | ||||
| CVE-2023-37388 | 1 Supito | 1 Mahato Simple Light Weight Social Share | 2024-11-21 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Sudipto Pratap Mahato Simple Light Weight Social Share plugin <= 2.0 versions. | ||||
| CVE-2023-37308 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-11-21 | 5.4 Medium |
| Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field. | ||||
| CVE-2023-37307 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-11-21 | 5.4 Medium |
| In MISP before 2.4.172, title_for_layout is not properly sanitized in Correlations, CorrelationExclusions, and Layouts. | ||||
| CVE-2023-37286 | 1 Smartsoft | 1 Smartbpm.net | 2024-11-21 | 9.8 Critical |
| SmartSoft SmartBPM.NET has a vulnerability of using hard-coded machine key. An unauthenticated remote attacker can use the machine key to send serialized payload to the server to execute arbitrary code and disrupt service. | ||||
| CVE-2023-37280 | 1 Pimcore | 1 Admin Classic Bundle | 2024-11-21 | 5 Medium |
| Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This vulnerability has been patched in version 1.0.3. | ||||
| CVE-2023-37272 | 1 Sos-berlin | 1 Jobscheduler | 2024-11-21 | 6.3 Medium |
| JS7 is an Open Source Job Scheduler. Users specify file names when uploading files holding user-generated documentation for JOC Cockpit. Specifically crafted file names allow an XSS attack to inject code that is executed with the browser. Risk of the vulnerability is considered high for branch 1.13 of JobScheduler (JS1). The vulnerability does not affect branch 2.x of JobScheduler (JS7) for releases after 2.1.0. The vulnerability is resolved with release 1.13.19. | ||||
| CVE-2023-37259 | 1 Matrix-react-sdk Project | 1 Matrix-react-sdk | 2024-11-21 | 6.1 Medium |
| matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored Cross site scripting (XSS). Since the Export Chat feature generates a separate document, an attacker can only inject code run from the `null` origin, restricting the impact. However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side. This issue has been addressed in commit `22fcd34c60` which is included in release version 3.76.0. Users are advised to upgrade. The only known workaround for this issue is to disable or to not use the Export Chat feature. | ||||