Total
30644 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-1256 | 1 Ujcms | 1 Jspxcms | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in Jspxcms 10.2.0 and classified as problematic. This issue affects some unknown processing of the file /ext/collect/filter_text.do. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252995. | |||||
| CVE-2024-1247 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | N/A | 2.0 LOW |
| Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability. | |||||
| CVE-2024-1246 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | N/A | 2.0 LOW |
| Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions prior to version 9. | |||||
| CVE-2024-1245 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | N/A | 2.4 LOW |
| Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N. | |||||
| CVE-2024-1219 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| The Easy Social Feed WordPress plugin before 6.5.6 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin | |||||
| CVE-2024-1215 | 1 Crud Without Page Reload Project | 1 Crud Without Page Reload | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in SourceCodester CRUD without Page Reload 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file fetch_data.php. The manipulation of the argument username/city leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252782 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-1196 | 1 Remyandrade | 1 Testimonial Page Manager | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability classified as problematic was found in SourceCodester Testimonial Page Manager 1.0. This vulnerability affects unknown code of the file add-testimonial.php of the component HTTP POST Request Handler. The manipulation of the argument name/description/testimony leads to cross site scripting. The attack can be initiated remotely. VDB-252694 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-1168 | 1 Seopress | 1 Seopress | 2024-11-21 | N/A | 6.4 MEDIUM |
| The SEOPress – On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's social image URL in all versions up to, and including, 7.9 due to insufficient input sanitization and output escaping on user supplied image URLs. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1164 | 1 Brizy | 1 Brizy-page Builder | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's contact form widget error message and redirect URL in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping on user supplied error messages. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1161 | 1 Brizy | 1 Brizy-page Builder | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Custom Attributes for blocks in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1160 | 1 Bold-themes | 1 Bold Page Builder | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Icon Link in all versions up to, and including, 4.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1159 | 1 Bold-themes | 1 Bold Page Builder | 2024-11-21 | N/A | 6.4 MEDIUM |
| The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1157 | 1 Bold-themes | 1 Bold Page Builder | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button URL in all versions up to, and including, 4.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1146 | 2024-11-21 | N/A | 5.8 MEDIUM | ||
| Cross-Site Scripting vulnerability in Devklan's Alma Blog that affects versions 2.1.10 and earlier. This vulnerability could allow an attacker to store a malicious JavaScript payload within the application by adding the payload to 'Community Description' or 'Community Rules'. | |||||
| CVE-2024-1143 | 1 Linecorp | 1 Central Dogma | 2024-11-21 | N/A | 9.3 CRITICAL |
| Central Dogma versions prior to 0.64.1 is vulnerable to Cross-Site Scripting (XSS), which could allow for the leakage of user sessions and subsequent authentication bypass. | |||||
| CVE-2024-1111 | 1 Rems | 1 Qr Code Login System | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in SourceCodester QR Code Login System 1.0. Affected by this issue is some unknown functionality of the file add-user.php. The manipulation of the argument qr-code leads to cross site scripting. The attack may be launched remotely. VDB-252470 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-1103 | 1 Surajkumarvishwakarma | 1 Real Estate Management System | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in CodeAstro Real Estate Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file profile.php of the component Feedback Form. The manipulation of the argument Your Feedback with the input <img src=x onerror=alert(document.cookie)> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252458 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-1099 | 1 Ruifang-tech | 1 Rebuild | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability was found in Rebuild up to 3.5.5. It has been classified as problematic. Affected is the function getFileOfData of the file /filex/read-raw. The manipulation of the argument url leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252456. | |||||
| CVE-2024-1073 | 1 Wp-slimstat | 1 Slimstat Analytics | 2024-11-21 | N/A | 6.4 MEDIUM |
| The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filter_array' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1055 | 1 Ideabox | 1 Powerpack Addons For Elementor | 2024-11-21 | N/A | 5.4 MEDIUM |
| The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's buttons in all versions up to, and including, 2.7.14 due to insufficient input sanitization and output escaping on user supplied URL values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||