Total
35377 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-20534 | 2024-11-06 | N/A | 4.8 MEDIUM | ||
| A vulnerability in the web UI of Cisco Desk Phone 9800 Series, Cisco IP Phone 6800, 7800, and 8800 Series, and Cisco Video Phone 8875 with Cisco Multiplatform Firmware could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks against users. This vulnerability exists because the web UI of an affected device does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. Note: To exploit this vulnerability, Web Access must be enabled on the phone and the attacker must have Admin credentials on the device. Web Access is disabled by default. | |||||
| CVE-2024-51379 | 2024-11-06 | N/A | 8.4 HIGH | ||
| Stored Cross-Site Scripting (XSS) vulnerability discovered in JATOS v3.9.3. The vulnerability exists in the description component of the study section, where an attacker can inject JavaScript into the description field. This allows for the execution of malicious scripts when an admin views the description, potentially leading to account takeover and unauthorized actions. | |||||
| CVE-2024-20487 | 2024-11-06 | N/A | 4.3 MEDIUM | ||
| A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to conduct a stored XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have at least a low-privileged account on an affected device. | |||||
| CVE-2024-51735 | 2024-11-06 | N/A | N/A | ||
| Osmedeus is a Workflow Engine for Offensive Security. Cross-site Scripting (XSS) occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server. When using a workflow that contains the summary module, it generates reports in HTML and Markdown formats. The default report is based on the `general-template.md` template.The contents of the files are read and used to generate the report. However, the file contents are not properly filtered, leading to XSS. This may lead to commands executed on the host as well. This issue is not yet resolved. Users are advised to add their own filtering or to reach out to the developer to aid in developing a patch. | |||||
| CVE-2024-51380 | 2024-11-06 | N/A | 8.4 HIGH | ||
| Stored Cross-Site Scripting (XSS) vulnerability discovered in the Properties Component of JATOS v3.9.3. This flaw allows an attacker to inject malicious JavaScript into the properties section of a study, specifically within the UUID field. When an admin user accesses the study's properties, the injected script is executed in the admin's browser, which could lead to unauthorized actions, including account compromise and privilege escalation. | |||||
| CVE-2024-10753 | 1 Phpgurukul | 1 Online Shopping Portal | 2024-11-06 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in PHPGurukul Online Shopping Portal 2.0. It has been declared as problematic. This vulnerability affects unknown code of the file admin/assets/plugins/DataTables/media/unit_testing/templates/dom_data_two_headers.php. The manipulation of the argument scripts leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-9883 | 1 Podsfoundation | 1 Pods | 2024-11-06 | N/A | 4.8 MEDIUM |
| The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-10148 | 1 Sohelwpexpert | 1 Awesome Buttons | 2024-11-06 | N/A | 6.4 MEDIUM |
| The Awesome buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btn2 shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-9147 | 1 Bna | 1 Pospratik | 2024-11-06 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Bna Informatics PosPratik allows XSS Through HTTP Query Strings.This issue affects PosPratik: before v3.2.1. | |||||
| CVE-2024-5578 | 1 Dublue | 1 Table Of Contents Plus | 2024-11-06 | N/A | 4.8 MEDIUM |
| The Table of Contents Plus WordPress plugin through 2408 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2024-7876 | 1 Nsqua | 1 Simply Schedule Appointments | 2024-11-06 | N/A | 4.8 MEDIUM |
| The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2024-7877 | 1 Nsqua | 1 Simply Schedule Appointments | 2024-11-06 | N/A | 4.8 MEDIUM |
| The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2024-10807 | 1 Anujkumar | 1 Hospital Management System | 2024-11-06 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in PHPGurukul Hospital Management System 4.0. It has been rated as problematic. This issue affects some unknown processing of the file hms/doctor/search.php. The manipulation of the argument searchdata leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-10806 | 1 Anujkumar | 1 Hospital Management System | 2024-11-06 | 3.3 LOW | 2.4 LOW |
| A vulnerability was found in PHPGurukul Hospital Management System 4.0. It has been declared as problematic. This vulnerability affects unknown code of the file betweendates-detailsreports.php. The manipulation of the argument fromdate/todate leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-10768 | 1 Phpgurukul | 1 Online Shopping Portal | 2024-11-06 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic was found in PHPGurukul Online Shopping Portal 2.0. This vulnerability affects unknown code of the file /admin/assets/plugins/DataTables/media/unit_testing/templates/two_tables.php. The manipulation of the argument scripts leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-8792 | 1 Markjaquith | 1 Subscribe To Comments | 2024-11-06 | N/A | 6.1 MEDIUM |
| The Subscribe to Comments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-50348 | 1 Instantcms | 1 Instantcms | 2024-11-06 | N/A | 5.4 MEDIUM |
| InstantCMS is a free and open source content management system. In photo upload function in the photo album page there is no input validation taking place. Due to this attackers are able to inject the XSS (Cross Site Scripting) payload and execute. This vulnerability is fixed in 2.16.3. | |||||
| CVE-2024-31448 | 1 Combodo | 1 Itop | 2024-11-06 | N/A | 8.8 HIGH |
| Combodo iTop is a simple, web based IT Service Management tool. By filling malicious code in a CSV content, an Cross-site Scripting (XSS) attack can be performed when importing this content. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. Users unable to upgrade should validate CSV content before importing it. | |||||
| CVE-2023-34445 | 1 Combodo | 1 Itop | 2024-11-06 | N/A | 8.8 HIGH |
| Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.render.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-34444 | 1 Combodo | 1 Itop | 2024-11-06 | N/A | 8.8 HIGH |
| Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.searchform.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||