Total
206 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-24812 | 1 Frappe | 1 Frappe | 2024-11-21 | N/A | 5.4 MEDIUM |
| Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious JS code if user clicks on a malicious link. This vulnerability has been patched in versions 14.59.0 and 15.5.0. No known workarounds are available. | |||||
| CVE-2024-24807 | 1 Sulu | 1 Sulu | 2024-11-21 | N/A | 2.7 LOW |
| Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12. | |||||
| CVE-2024-24574 | 1 Phpmyfaq | 1 Phpmyfaq | 2024-11-21 | N/A | 6.5 MEDIUM |
| phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). This vulnerability has been patched in version 3.2.5. | |||||
| CVE-2024-24571 | 1 Facilemanager | 1 Facilemanager | 2024-11-21 | N/A | 5.4 MEDIUM |
| facileManager is a modular suite of web apps built with the sysadmin in mind. For the facileManager web application versions 4.5.0 and earlier, we have found that XSS was present in almost all of the input fields as there is insufficient input validation. | |||||
| CVE-2024-23841 | 1 Apollographql | 1 Apollo Client | 2024-11-21 | N/A | 8.2 HIGH |
| apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input (e.g. by redirecting a user to a specifically-crafted link) or arrange to have malicious input be returned by a GraphQL server (e.g. by persisting it in a database). To fix this issue, please update to version 0.7.0 or later. | |||||
| CVE-2024-23817 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | N/A | 7.1 HIGH |
| Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). To remediate the issue, validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks; and implement proper output encoding when rendering user-provided data to ensure it is treated as plain text rather than executable HTML. | |||||
| CVE-2024-20362 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by persuading a user to visit specific web pages that include malicious payloads. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | |||||
| CVE-2024-1606 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
| Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200. | |||||
| CVE-2024-0183 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-11-21 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/students.php of the component NIA Office. The manipulation leads to basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249441 was assigned to this vulnerability. | |||||
| CVE-2023-5933 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 6.4 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests. | |||||
| CVE-2023-5582 | 1 Zzzcms | 1 Zzzcms | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability, which was classified as problematic, has been found in ZZZCMS 2.2.0. This issue affects some unknown processing of the component Personal Profile Page. The manipulation leads to basic cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-242147. | |||||
| CVE-2023-49852 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Vsourz Digital Responsive Slick Slider WordPress allows Code Injection.This issue affects Responsive Slick Slider WordPress: from n/a through 1.4. | |||||
| CVE-2023-48763 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS vulnerability in Crocoblock JetFormBuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through 3.1.4. | |||||
| CVE-2023-48285 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.This issue affects Stripe Payments: from n/a through 2.0.79. | |||||
| CVE-2023-47663 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Menno Luitjes Foyer allows Code Injection.This issue affects Foyer: from n/a through 1.7.5. | |||||
| CVE-2023-47513 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in ARI Soft ARI Stream Quiz allows Code Injection.This issue affects ARI Stream Quiz: from n/a through 1.3.2. | |||||
| CVE-2023-46310 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in gVectors Team wpDiscuz allows Code Injection.This issue affects wpDiscuz: from n/a through 7.6.10. | |||||
| CVE-2023-45635 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in WP Darko Responsive Tabs allows Code Injection.This issue affects Responsive Tabs: from n/a before 4.0.6. | |||||
| CVE-2023-45053 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in pluginever WP Content Pilot – Autoblogging & Affiliate Marketing Plugin allows Code Injection.This issue affects WP Content Pilot – Autoblogging & Affiliate Marketing Plugin: from n/a through 1.3.3. | |||||
| CVE-2023-44393 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A | 9.3 CRITICAL |
| Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue. | |||||