Total
35924 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5628 | 1 Theme-fusion | 1 Avada | 2024-09-26 | N/A | 5.4 MEDIUM |
| The Avada | Website Builder For WordPress & eCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusion_button shortcode in all versions up to, and including, 3.11.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in 3.11.9. Additional hardening for alternate attack vectors was added to version 3.11.10. | |||||
| CVE-2024-8656 | 1 Wpfactory | 1 Wpfactory Helper | 2024-09-26 | N/A | 6.1 MEDIUM |
| The WPFactory Helper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-8622 | 1 Amcharts | 1 Amcharts\ | 2024-09-26 | N/A | 6.1 MEDIUM |
| The amCharts: Charts and Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'amcharts_javascript' parameter in all versions up to, and including, 1.4.4 due to the ability to supply arbitrary JavaScript a lack of nonce validation on the preview functionality. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-5416 | 1 Elementor | 1 Website Builder | 2024-09-26 | N/A | 5.4 MEDIUM |
| The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter of multiple widgets in all versions up to, and including, 3.23.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in Elementor Editor pages. This was partially patched in version 3.23.2. | |||||
| CVE-2024-5959 | 1 Elizsoftware | 1 Panel | 2024-09-26 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eliz Software Panel allows Stored XSS.This issue affects Panel: before v2.3.24. | |||||
| CVE-2023-46948 | 2024-09-26 | N/A | 5.4 MEDIUM | ||
| A reflected Cross-Site Scripting (XSS) vulnerability was found on Temenos T24 Browser R19.40 that enables a remote attacker to execute arbitrary JavaScript code via the skin parameter in the about.jsp and genrequest.jsp components. | |||||
| CVE-2024-42346 | 2024-09-26 | N/A | 7.6 HIGH | ||
| Galaxy is a free, open-source system for analyzing data, authoring workflows, training and education, publishing tools, managing infrastructure, and more. The editor visualization, /visualizations endpoint, can be used to store HTML tags and trigger javascript execution upon edit operation. All supported branches of Galaxy (and more back to release_20.05) were amended with the supplied patches. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-7835 | 2024-09-26 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Exnet Informatics Software Ferry Reservation System allows Reflected XSS.This issue affects Ferry Reservation System: before 240805-002. | |||||
| CVE-2024-45793 | 2024-09-26 | N/A | 4.8 MEDIUM | ||
| Confidant is a open source secret management service that provides user-friendly storage and access to secrets. The following endpoints are subject to a cross site scripting vulnerability: GET /v1/credentials, GET /v1/credentials/, GET /v1/archive/credentials/, GET /v1/archive/credentials, POST /v1/credentials, PUT /v1/credentials/, PUT /v1/credentials//<to_revision>, GET /v1/services, GET /v1/services/, GET /v1/archive/services/, GET /v1/archive/services, PUT /v1/services/, PUT /v1/services//<to_revision>. The attacker needs to be authenticated and have privileges to create new credentials, but could use this to show information and run scripts to other users into the same Confidant instance. This issue has been patched in version 6.6.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-42697 | 2024-09-26 | N/A | 6.1 MEDIUM | ||
| Cross Site Scripting vulnerability in Leotheme Leo Product Search Module v.2.1.6 and earlier allows a remote attacker to execute arbitrary code via the q parameter of the product search function. | |||||
| CVE-2024-47061 | 2024-09-26 | N/A | 8.3 HIGH | ||
| Plate is a javascript toolkit that makes it easier for you to develop with Slate, a popular framework for building text editors. One longstanding feature of Plate is the ability to add custom DOM attributes to any element or leaf using the `attributes` property. These attributes are passed to the node component using the `nodeProps` prop. It has come to our attention that this feature can be used for malicious purposes, including cross-site scripting (XSS) and information exposure (specifically, users' IP addresses and whether or not they have opened a malicious document). Note that the risk of information exposure via attributes is only relevant to applications in which web requests to arbitrary URLs are not ordinarily allowed. Plate editors that allow users to embed images from arbitrary URLs, for example, already carry the risk of leaking users' IP addresses to third parties. All Plate editors using an affected version of @udecode/plate-core are vulnerable to these information exposure attacks via the style attribute and other attributes that can cause web requests to be sent. In addition, whether or not a Plate editor is vulnerable to cross-site scripting attacks using attributes depends on a number of factors. The most likely DOM attributes to be vulnerable are href and src on links and iframes respectively. Any component that spreads {...nodeProps} onto an <a> or <iframe> element and does not later override href or src will be vulnerable to XSS. In patched versions of Plate, we have disabled element.attributes and leaf.attributes for most attribute names by default, with some exceptions including target, alt, width, height, colspan and rowspan on the link, image, video, table cell and table header cell plugins. If this is a breaking change for you, you can selectively re-enable attributes for certain plugins as follows. Please carefully research and assess the security implications of any attribute you allow, as even seemingly innocuous attributes such as style can be used maliciously. If you are unable to upgrade to any of the patched versions, you should use a tool like patch-package or yarn patch to remove the logic from @udecode/plate-core that adds attributes to nodeProps. | |||||
| CVE-2024-43959 | 2024-09-26 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themepoints Testimonials allows Reflected XSS.This issue affects Testimonials: from n/a through 3.0.8. | |||||
| CVE-2024-9141 | 2024-09-26 | N/A | 5.4 MEDIUM | ||
| Cross-Site Scripting (XSS) vulnerability in the Oct8ne system. This flaw could allow an attacker to embed harmful JavaScript code into the body of a chat message. This manipulation occurs when the chat content is intercepted and altered, leading to the execution of the JavaScript payload. | |||||
| CVE-2024-4657 | 2024-09-26 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software BAP Automation allows Stored XSS.This issue affects BAP Automation: before 30840. | |||||
| CVE-2024-9169 | 2024-09-26 | N/A | 5.5 MEDIUM | ||
| The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin debug settings in all versions up to, and including, 6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2024-8267 | 2024-09-26 | N/A | 6.4 MEDIUM | ||
| The Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' attribute within the 'wp:radio-player' Gutenberg block in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-44001 | 1 Royal-elementor-addons | 1 Royal Elementor Addons | 2024-09-25 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Royal Royal Elementor Addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through 1.3.982. | |||||
| CVE-2024-44002 | 1 Pickplugins | 1 Team Showcase | 2024-09-25 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PickPlugins Team Showcase allows Reflected XSS.This issue affects Team Showcase: from n/a through 1.22.25. | |||||
| CVE-2024-44003 | 1 Spicethemes | 1 Spice Starter Sites | 2024-09-25 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in spicethemes Spice Starter Sites allows Reflected XSS.This issue affects Spice Starter Sites: from n/a through 1.2.5. | |||||
| CVE-2024-43995 | 1 Sktthemes | 1 Posterity | 2024-09-25 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in sonalsinha21 Posterity allows Stored XSS.This issue affects Posterity: from n/a through 3.6. | |||||