Total
38510 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-24966 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | N/A | 6.1 MEDIUM |
| IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 246904. | |||||
| CVE-2023-24921 | 1 Microsoft | 1 Dynamics 365 | 2024-11-21 | N/A | 5.4 MEDIUM |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||
| CVE-2023-24920 | 1 Microsoft | 1 Dynamics 365 | 2024-11-21 | N/A | 5.4 MEDIUM |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||
| CVE-2023-24919 | 1 Microsoft | 1 Dynamics 365 | 2024-11-21 | N/A | 5.4 MEDIUM |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||
| CVE-2023-24896 | 1 Microsoft | 1 Dynamics 365 | 2024-11-21 | N/A | 5.4 MEDIUM |
| Dynamics 365 Finance Spoofing Vulnerability | |||||
| CVE-2023-24891 | 1 Microsoft | 1 Dynamics 365 | 2024-11-21 | N/A | 5.4 MEDIUM |
| Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | |||||
| CVE-2023-24839 | 1 Hgiga | 1 Oaklouds Mailsherlock | 2024-11-21 | N/A | 6.1 MEDIUM |
| HGiga MailSherlock’s specific function has insufficient filtering for user input. An unauthenticated remote attacker can exploit this vulnerability to inject JavaScript, conducting a reflected XSS attack. | |||||
| CVE-2023-24814 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A | 8.8 HIGH |
| TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT_NAME')` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The usage of server environment variable `PATH_INFO` has been removed from corresponding processings in `GeneralUtility::getIndpEnv()`. Besides that, the public property `TypoScriptFrontendController::$absRefPrefix` is encoded for both being used as a URI component and for being used as a prefix in an HTML context. This mitigates the cross-site scripting vulnerability. Users are advised to update to TYPO3 versions 8.7.51 ELTS, 9.5.40 ELTS, 10.4.35 LTS, 11.5.23 LTS and 12.2.0 which fix this problem. For users who are unable to patch in a timely manner the TypoScript setting `config.absRefPrefix` should at least be set to a static path value, instead of using auto - e.g. `config.absRefPrefix=/`. This workaround **does not fix all aspects of the vulnerability**, and is just considered to be an intermediate mitigation to the most prominent manifestation. | |||||
| CVE-2023-24811 | 1 Misskey | 1 Misskey | 2024-11-21 | N/A | 7.1 HIGH |
| Misskey is an open source, decentralized social media platform. In versions prior to 13.3.2 the URL preview function is subject to a cross site scripting vulnerability due to insufficient URL validation. Arbitrary JavaScript is executed when a malicious URL is loaded in the `View in Player` or `View in Window` preview. This has been fixed in version 13.3.2. Users are advised to upgrade. Users unable to upgrade should avoid usage of the `View in Player` or `View in Window` functions. | |||||
| CVE-2023-24810 | 1 Misskey | 1 Misskey | 2024-11-21 | N/A | 7.1 HIGH |
| Misskey is an open source, decentralized social media platform. Due to insufficient validation of the redirect URL during `miauth` authentication in Misskey, arbitrary JavaScript can be executed when a user allows the link. All versions below 13.3.1 (including 12.x) are affected. This has been fixed in version 13.3.1. Users are advised to upgrade. Users unable to upgrade should not allow authentication of untrusted apps. | |||||
| CVE-2023-24737 | 1 Sigb | 1 Pmb | 2024-11-21 | N/A | 6.1 MEDIUM |
| PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950.php. | |||||
| CVE-2023-24733 | 1 Sigb | 1 Pmb | 2024-11-21 | N/A | 6.1 MEDIUM |
| PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950_new.php. | |||||
| CVE-2023-24675 | 1 Bludit | 1 Bludit | 2024-11-21 | N/A | 4.8 MEDIUM |
| Cross Site Scripting Vulnerability in BluditCMS v.3.14.1 allows attackers to execute arbitrary code via the Categories Friendly URL. | |||||
| CVE-2023-24602 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | N/A | 6.1 MEDIUM |
| OX App Suite before frontend 7.10.6-rev24 allows XSS via data to the Tumblr portal widget, such as a post title. | |||||
| CVE-2023-24601 | 1 Open-xchange | 1 Ox App Suite | 2024-11-21 | N/A | 6.1 MEDIUM |
| OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree. | |||||
| CVE-2023-24529 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2024-11-21 | N/A | 6.1 MEDIUM |
| Due to lack of proper input validation, BSP application (CRM_BSP_FRAME) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, allow malicious inputs from untrusted sources, which can be leveraged by an attacker to execute a Reflected Cross-Site Scripting (XSS) attack. As a result, an attacker may be able to hijack a user session, read and modify some sensitive information. | |||||
| CVE-2023-24525 | 1 Sap | 2 Customer Relationship Management Webclient Ui, S4fnd | 2024-11-21 | N/A | 4.3 MEDIUM |
| SAP CRM WebClient UI - versions WEBCUIF 748, 800, 801, S4FND 102, 103, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. On successful exploitation an authenticated attacker can cause limited impact on confidentiality of the application. | |||||
| CVE-2023-24522 | 1 Sap | 1 Netweaver Application Server Abap | 2024-11-21 | N/A | 6.1 MEDIUM |
| Due to insufficient input sanitization, SAP NetWeaver AS ABAP (Business Server Pages) - versions 700, 701, 702, 731, 740, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application. | |||||
| CVE-2023-24521 | 1 Sap | 1 Netweaver As Abap Business Server Pages | 2024-11-21 | N/A | 6.1 MEDIUM |
| Due to insufficient input sanitization, SAP NetWeaver AS ABAP (BSP Framework) - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, allows an unauthenticated user to alter the current session of the user by injecting the malicious code over the network and gain access to the unintended data. This may lead to a limited impact on the confidentiality and the integrity of the application. | |||||
| CVE-2023-24516 | 1 Pandorafms | 1 Pandora Fms | 2024-11-21 | N/A | 5.9 MEDIUM |
| Cross-site Scripting (XSS) vulnerability in the Pandora FMS Special Days component allows an attacker to use it to steal the session cookie value of admin users easily with little user interaction. This issue affects Pandora FMS v767 version and prior versions on all platforms. | |||||