Total
235 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-23841 | 1 Apollographql | 1 Apollo Client | 2024-11-21 | N/A | 8.2 HIGH |
| apollo-client-nextjs is the Apollo Client support for the Next.js App Router. The @apollo/experimental-apollo-client-nextjs NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this vulnerability, an attacker would need to either inject malicious input (e.g. by redirecting a user to a specifically-crafted link) or arrange to have malicious input be returned by a GraphQL server (e.g. by persisting it in a database). To fix this issue, please update to version 0.7.0 or later. | |||||
| CVE-2024-23817 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | N/A | 7.1 HIGH |
| Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). To remediate the issue, validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks; and implement proper output encoding when rendering user-provided data to ensure it is treated as plain text rather than executable HTML. | |||||
| CVE-2024-1606 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
| Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200. | |||||
| CVE-2024-0183 | 1 Nia | 1 Rrj Nueva Ecija Engineer Online Portal | 2024-11-21 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in RRJ Nueva Ecija Engineer Online Portal 1.0. It has been classified as problematic. This affects an unknown part of the file /admin/students.php of the component NIA Office. The manipulation leads to basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249441 was assigned to this vulnerability. | |||||
| CVE-2023-5933 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 6.4 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests. | |||||
| CVE-2023-5582 | 1 Zzzcms | 1 Zzzcms | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability, which was classified as problematic, has been found in ZZZCMS 2.2.0. This issue affects some unknown processing of the component Personal Profile Page. The manipulation leads to basic cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-242147. | |||||
| CVE-2023-49852 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Vsourz Digital Responsive Slick Slider WordPress allows Code Injection.This issue affects Responsive Slick Slider WordPress: from n/a through 1.4. | |||||
| CVE-2023-48763 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS vulnerability in Crocoblock JetFormBuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through 3.1.4. | |||||
| CVE-2023-48285 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.This issue affects Stripe Payments: from n/a through 2.0.79. | |||||
| CVE-2023-47663 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Menno Luitjes Foyer allows Code Injection.This issue affects Foyer: from n/a through 1.7.5. | |||||
| CVE-2023-47513 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in ARI Soft ARI Stream Quiz allows Code Injection.This issue affects ARI Stream Quiz: from n/a through 1.3.2. | |||||
| CVE-2023-45635 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in WP Darko Responsive Tabs allows Code Injection.This issue affects Responsive Tabs: from n/a before 4.0.6. | |||||
| CVE-2023-45053 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in pluginever WP Content Pilot – Autoblogging & Affiliate Marketing Plugin allows Code Injection.This issue affects WP Content Pilot – Autoblogging & Affiliate Marketing Plugin: from n/a through 1.3.3. | |||||
| CVE-2023-44393 | 1 Piwigo | 1 Piwigo | 2024-11-21 | N/A | 9.3 CRITICAL |
| Piwigo is an open source photo gallery application. Prior to version 14.0.0beta4, a reflected cross-site scripting (XSS) vulnerability is in the` /admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page. This vulnerability can be exploited by an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The vulnerability is caused by the insecure injection of the `plugin_id` value from the URL into the HTML page. An attacker can exploit this vulnerability by crafting a malicious URL that contains a specially crafted `plugin_id` value. When a victim who is logged in as an administrator visits this URL, the malicious code will be injected into the HTML page and executed. This vulnerability can be exploited by any attacker who has access to a malicious URL. However, only users who are logged in as administrators are affected. This is because the vulnerability is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin_id=[here]` page, which is only accessible to administrators. Version 14.0.0.beta4 contains a patch for this issue. | |||||
| CVE-2023-42458 | 1 Zope | 1 Zope | 2024-11-21 | N/A | 3.7 LOW |
| Zope is an open-source web application server. Prior to versions 4.8.10 and 5.8.5, there is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in Zope 4.8.10 and 5.8.5. As a workaround, make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default, only the Manager has this permission. | |||||
| CVE-2023-40557 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in PickPlugins Tabs & Accordion allows Code Injection.This issue affects Tabs & Accordion: from n/a through 1.3.10. | |||||
| CVE-2023-3017 | 1 Oretnom23 | 1 Lost And Found Information System | 2024-11-21 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in SourceCodester Lost and Found Information System 1.0. It has been classified as problematic. This affects an unknown part of the file admin/?page=user/manage_user of the component Manage User Page. The manipulation of the argument First Name/Middle Name/Last Name leads to basic cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-230361 was assigned to this vulnerability. | |||||
| CVE-2023-39217 | 1 Zoom | 2 Meeting Software Development Kit, Video Software Development Kit | 2024-11-21 | N/A | 5.3 MEDIUM |
| Improper input validation in Zoom SDK’s before 5.14.10 may allow an unauthenticated user to enable a denial of service via network access. | |||||
| CVE-2023-39216 | 1 Zoom | 1 Zoom | 2024-11-21 | N/A | 9.6 CRITICAL |
| Improper input validation in Zoom Desktop Client for Windows before 5.14.7 may allow an unauthenticated user to enable an escalation of privilege via network access. | |||||
| CVE-2023-39161 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in WP Discussion Board Discussion Board allows Content Spoofing, Cross-Site Scripting (XSS).This issue affects Discussion Board: from n/a through 2.4.8. | |||||