Export limit exceeded: 44814 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (44814 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-51498 | 2024-11-05 | N/A | ||
| cobalt is a media downloader that doesn't piss you off. A malicious cobalt instance could serve links with the `javascript:` protocol, resulting in Cross-site Scripting (XSS) when the user tries to download an item from a picker. This issue has been present since commit `66bac03e`, was mitigated in commit `97977efa` (correctly configured web instances were no longer vulnerable) and fully fixed in commit `c4be1d3a` (included in release version 10.2.1). Users are advised to upgrade. Users unable to upgrade should enable a content-security-policy. | ||||
| CVE-2024-50346 | 1 Taoso | 1 Webfeed | 2024-11-05 | N/A |
| WebFeed is a lightweight web feed reader extension for Firefox/Chrome. Multiple HTML injection vulnerabilities in WebFeed can lead to CSRF and UI spoofing attacks. A remote attacker can provide malicious RSS feeds and attract the victim user to visit it using WebFeed. The attacker can then inject malicious HTML into the extension page and fool the victim into sending out HTTP requests to arbitrary sites with the victim's credentials. Users are vulnerable to CSRF attacks when visiting malicious RSS feeds via WebFeed. Unwanted actions could be executed on the user's behalf on arbitrary websites. This issue has been addressed in release version 0.9.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-10340 | 2024-11-05 | 6.4 Medium | ||
| The Shortcodes Blocks Creator Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'scu' shortcode in versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-37844 | 2 Radix Iot, Radixiot | 2 Mango Os, Mango | 2024-11-05 | 4.7 Medium |
| A stored cross-site scripting (XSS) vulnerability in MangoOS before 5.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2024-20412 | 1 Cisco | 23 Firepower 1000, Firepower 1010, Firepower 1020 and 20 more | 2024-11-05 | 9.3 Critical |
| A vulnerability in Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series could allow an unauthenticated, local attacker to access an affected system using static credentials. This vulnerability is due to the presence of static accounts with hard-coded passwords on an affected system. An attacker could exploit this vulnerability by logging in to the CLI of an affected device with these credentials. A successful exploit could allow the attacker to access the affected system and retrieve sensitive information, perform limited troubleshooting actions, modify some configuration options, or render the device unable to boot to the operating system, requiring a reimage of the device. | ||||
| CVE-2024-51432 | 1 Fiberhome | 1 Hg6544c Firmware | 2024-11-04 | 4.8 Medium |
| Cross Site Scripting vulnerability in FiberHome HG6544C RP2743 allows an attacker to execute arbitrary code via the SSID field in the WIFI Clients List not being sanitized | ||||
| CVE-2024-41930 | 2024-11-04 | 6.1 Medium | ||
| Cross-site scripting vulnerability exists in MF Teacher Performance Management System version 6. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. | ||||
| CVE-2024-48410 | 1 Camtrace | 1 Camtrace | 2024-11-04 | 6.1 Medium |
| Cross Site Scripting vulnerability in Camtrace v.9.16.2.1 allows a remote attacker to execute arbitrary code via the login.php. | ||||
| CVE-2024-9896 | 1 Spider-themes | 1 Bbp Core | 2024-11-04 | 6.1 Medium |
| The BBP Core – Expand bbPress powered forums with useful features plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-9868 | 1 Bdthemes | 1 Element Pack | 2024-11-04 | 5.4 Medium |
| The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Age Gate Widget 'url' parameter in all versions up to, and including, 5.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-51076 | 1 Phpgurukul | 1 Online Dj Booking Management System | 2024-11-04 | 6.1 Medium |
| A Reflected Cross Site Scripting (XSS) vulnerability was found in /odms/admin/booking-search.php in PHPGurukul Online DJ Booking Management System 1.0, which allows remote attackers to execute arbitrary code via the "searchdata" parameter. | ||||
| CVE-2024-51075 | 1 Phpgurukul | 1 Online Dj Booking Management System | 2024-11-04 | 6.1 Medium |
| A Reflected Cross Site Scripting (XSS) vulnerability was found in /odms/admin/user-search.php in PHPGurukul Online DJ Booking Management System v1.0, which allows remote attackers to execute arbitrary code via the searchdata parameter. | ||||
| CVE-2024-51181 | 1 Phpgurukul | 1 Ifsc Code Finder | 2024-11-04 | 8.8 High |
| A Reflected Cross Site Scripting (XSS) vulnerability was found in /ifscfinder/admin/profile.php in PHPGurukul IFSC Code Finder Project v1.0, which allows remote attackers to execute arbitrary code via " searchifsccode" parameter. | ||||
| CVE-2024-51180 | 1 Phpgurukul | 1 Ifsc Code Finder | 2024-11-04 | 8.8 High |
| A Reflected Cross Site Scripting (XSS) vulnerability was found in /ifscfinder/index.php in PHPGurukul IFSC Code Finder Project v1.0, which allows remote attackers to execute arbitrary code via the "searchifsccode" parameter. | ||||
| CVE-2024-8739 | 1 Wedevs | 1 Recaptcha Integration | 2024-11-04 | 6.1 Medium |
| The ReCaptcha Integration for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-10310 | 1 Bdthemes | 1 Element Pack | 2024-11-04 | 6.4 Medium |
| The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Gallery Widget 'image_title' parameter in all versions up to, and including, 5.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-51492 | 1 Zusam | 1 Zusam | 2024-11-01 | 8.8 High |
| Zusam is a free and open-source way to self-host private forums. Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. With certain payloads, theft of the target user’s long-lived session token is possible. Note that Zusam, at the time of writing, uses a user’s static API key as a long-lived session token, and these terms can be used interchangeably on the platform. This session token/API key remains valid indefinitely, so long as the user doesn’t expressly request a new one via their Settings page. Version 0.5.6 fixes the cross-site scripting vulnerability. | ||||
| CVE-2024-20300 | 1 Cisco | 1 Secure Firewall Management Center | 2024-11-01 | 4.8 Medium |
| A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface, or access sensitive, browser-based information. | ||||
| CVE-2024-6581 | 2 Lollms, Parisneo | 2 Lord Of Large Language Models, Lollms | 2024-11-01 | 9.0 Critical |
| A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file. | ||||
| CVE-2024-49665 | 1 Webbricks | 1 Web Bricks Addons | 2024-11-01 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Web Bricks Web Bricks Addons for Elementor allows Stored XSS.This issue affects Web Bricks Addons for Elementor: from n/a through 1.1.1. | ||||