Total
37542 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10348 | 1 Mayurik | 1 Best House Rental Management System | 2024-10-30 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in SourceCodester Best House Rental Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?page=tenants of the component Manage Tenant Details. The manipulation of the argument Last Name/First Name/Middle Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only shows the field "Last Name" to be affected. Other fields might be affected as well. | |||||
| CVE-2024-48448 | 2024-10-29 | N/A | 6.1 MEDIUM | ||
| An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into the tracker comments page. | |||||
| CVE-2024-41519 | 1 Mecodia | 1 Feripro | 2024-10-29 | N/A | 5.4 MEDIUM |
| Feripro <= v2.2.3 is vulnerable to Cross Site Scripting (XSS) via "/admin/programm/<program_id>/zuordnung/veranstaltungen/<event_id>" through the "school" input field. | |||||
| CVE-2024-48120 | 1 X2engine | 1 X2crm | 2024-10-29 | N/A | 5.4 MEDIUM |
| X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list. | |||||
| CVE-2024-10414 | 1 Phpgurukul | 1 Vehicle Record System | 2024-10-29 | 3.3 LOW | 2.4 LOW |
| A vulnerability, which was classified as problematic, was found in PHPGurukul Vehicle Record System 1.0. This affects an unknown part of the file /admin/edit-brand.php. The manipulation of the argument Brand Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory mentions the parameter "phone_number" to be affected. But this might be a mistake because the textbox field label is "Brand Name". | |||||
| CVE-2024-10412 | 1 Poco-z | 1 Guns-medial | 2024-10-29 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in Poco-z Guns-Medical 1.0. It has been declared as problematic. Affected by this vulnerability is the function upload of the file /mgr/upload of the component File Upload. The manipulation of the argument picture leads to cross site scripting. The attack can be launched remotely. | |||||
| CVE-2024-50575 | 1 Jetbrains | 1 Youtrack | 2024-10-29 | N/A | 5.4 MEDIUM |
| In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API | |||||
| CVE-2024-50576 | 1 Jetbrains | 1 Youtrack | 2024-10-29 | N/A | 4.6 MEDIUM |
| In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest | |||||
| CVE-2024-50577 | 1 Jetbrains | 1 Youtrack | 2024-10-29 | N/A | 4.6 MEDIUM |
| In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings | |||||
| CVE-2024-50578 | 1 Jetbrains | 1 Youtrack | 2024-10-29 | N/A | 4.6 MEDIUM |
| In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page | |||||
| CVE-2024-50579 | 1 Jetbrains | 1 Youtrack | 2024-10-29 | N/A | 4.6 MEDIUM |
| In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible | |||||
| CVE-2024-50580 | 1 Jetbrains | 1 Youtrack | 2024-10-29 | N/A | 4.6 MEDIUM |
| In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule | |||||
| CVE-2024-50581 | 1 Jetbrains | 1 Youtrack | 2024-10-29 | N/A | 4.6 MEDIUM |
| In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag | |||||
| CVE-2024-50582 | 1 Jetbrains | 1 Youtrack | 2024-10-29 | N/A | 4.6 MEDIUM |
| In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements | |||||
| CVE-2024-49288 | 1 Villatheme | 1 Woocommerce Email Template Customizer | 2024-10-29 | N/A | 5.9 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in VillaTheme Email Template Customizer for WooCommerce allows Stored XSS.This issue affects Email Template Customizer for WooCommerce: from n/a through 1.2.5. | |||||
| CVE-2024-10014 | 1 Tiandiyoyo | 1 Flat Ui Button | 2024-10-29 | N/A | 6.4 MEDIUM |
| The Flat UI Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's flatbtn shortcode in version 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-47068 | 1 Rollupjs | 1 Rollup | 2024-10-29 | N/A | 6.1 MEDIUM |
| Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 2.79.2, 3.29.5, and 4.22.4 contain a patch for the vulnerability. | |||||
| CVE-2024-9589 | 1 Aftabhusain | 1 Category And Taxonomy Meta Fields | 2024-10-29 | N/A | 5.5 MEDIUM |
| The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_meta_name' parameter in the 'wpaft_option_page' function in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2024-9590 | 1 Aftabhusain | 1 Category And Taxonomy Meta Fields | 2024-10-29 | N/A | 5.5 MEDIUM |
| The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image meta field value in the 'wpaft_add_meta_textinput' function in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with editor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2024-9591 | 1 Aftabhusain | 1 Category And Taxonomy Image | 2024-10-29 | N/A | 5.5 MEDIUM |
| The Category and Taxonomy Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_category_image' parameter in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with editor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||