Total
30624 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-27719 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| A cross site scripting (XSS) vulnerability in rems FAQ Management System v.1.0 allows a remote attacker to obtain sensitive information via a crafted payload to the Frequently Asked Question field in the Add FAQ function. | |||||
| CVE-2024-27706 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| Cross Site Scripting vulnerability in Huly Platform v.0.6.202 allows attackers to execute arbitrary code via upload of crafted SVG file to issues. | |||||
| CVE-2024-27703 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter. | |||||
| CVE-2024-27684 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| A Cross-site scripting (XSS) vulnerability in dlapn.cgi, dldongle.cgi, dlcfg.cgi, fwup.cgi and seama.cgi in D-Link GORTAC750_A1_FW_v101b03 allows remote attackers to inject arbitrary web script or HTML via the url parameter. | |||||
| CVE-2024-27680 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| Flusity-CMS v2.33 is vulnerable to Cross Site Scripting (XSS) in the "Contact form." | |||||
| CVE-2024-27626 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Dotclear version 2.29. The flaw exists within the Search functionality of the Admin Panel. | |||||
| CVE-2024-27625 | 2024-11-21 | N/A | 4.8 MEDIUM | ||
| CMS Made Simple Version 2.2.19 is vulnerable to Cross Site Scripting (XSS). This vulnerability resides in the File Manager module of the admin panel. Specifically, the issue arises due to inadequate sanitization of user input in the "New directory" field. | |||||
| CVE-2024-27609 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Bonita before 2023.2-u2 allows stored XSS via a UI screen in the administration panel. | |||||
| CVE-2024-27593 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| A stored cross-site scripting (XSS) vulnerability in the Filter function of Eramba Version 3.22.3 Community Edition allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the filter name field. This vulnerability has been fixed in version 3.23.0. | |||||
| CVE-2024-27558 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| Stupid Simple CMS 1.2.4 is vulnerable to Cross Site Scripting (XSS) within the blog title of the settings. | |||||
| CVE-2024-27517 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| Webasyst 2.9.9 has a Cross-Site Scripting (XSS) vulnerability, Attackers can create blogs containing malicious code after gaining blog permissions. | |||||
| CVE-2024-27499 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Bagisto v1.5.1 is vulnerable for Cross site scripting(XSS) via png file upload vulnerability in product review option. | |||||
| CVE-2024-27477 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field of tickets (also known as to-dos). This stored XSS vulnerability can be exploited to perform Server-Side Request Forgery (SSRF) attacks. | |||||
| CVE-2024-27314 | 2024-11-21 | N/A | 2.4 LOW | ||
| Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users. | |||||
| CVE-2024-27306 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. Users following the recommendation are unaffected. Other users can disable `show_index` if unable to upgrade. | |||||
| CVE-2024-27300 | 2024-11-21 | N/A | 5.5 MEDIUM | ||
| phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The `email` field in phpMyFAQ's user control panel page is vulnerable to stored XSS attacks due to the inadequacy of PHP's `FILTER_VALIDATE_EMAIL` function, which only validates the email format, not its content. This vulnerability enables an attacker to execute arbitrary client-side JavaScript within the context of another user's phpMyFAQ session. This vulnerability is fixed in 3.2.6. | |||||
| CVE-2024-27290 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| Docassemble is an expert system for guided interviews and document assembly. Prior to 1.4.97, a user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The vulnerability has been patched in version 1.4.97 of the master branch. | |||||
| CVE-2024-27287 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| ESPHome is a system to control your ESP8266/ESP32 for Home Automation systems. Starting in version 2023.12.9 and prior to version 2024.2.2, editing the configuration file API in dashboard component of ESPHome version 2023.12.9 (command line installation and Home Assistant add-on) serves unsanitized data with `Content-Type: text/html; charset=UTF-8`, allowing a remote authenticated user to inject arbitrary web script and exfiltrate session cookies via Cross-Site scripting. It is possible for a malicious authenticated user to inject arbitrary Javascript in configuration files using a POST request to the /edit endpoint, the configuration parameter allows to specify the file to write. To trigger the XSS vulnerability, the victim must visit the page` /edit?configuration=[xss file]`. Abusing this vulnerability a malicious actor could perform operations on the dashboard on the behalf of a logged user, access sensitive information, create, edit and delete configuration files and flash firmware on managed boards. In addition to this, cookies are not correctly secured, allowing the exfiltration of session cookie values. Version 2024.2.2 contains a patch for this issue. | |||||
| CVE-2024-27285 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.36. | |||||
| CVE-2024-27270 | 2024-11-21 | N/A | 4.7 MEDIUM | ||
| IBM WebSphere Application Server Liberty 23.0.0.3 through 24.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in a specially crafted URI. IBM X-Force ID: 284576. | |||||