Total
30576 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-36773 | 1 Monstra | 1 Monstra | 2024-11-21 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Themes parameter at index.php. | |||||
| CVE-2024-36676 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Incorrect access control in BookStack before v24.05.1 allows attackers to confirm existing system users and perform targeted notification email DoS via public facing forms. | |||||
| CVE-2024-36674 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| LyLme_spage v1.9.5 is vulnerable to Cross Site Scripting (XSS) via admin/link.php. | |||||
| CVE-2024-36656 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| In MintHCM 4.0.3, a registered user can execute arbitrary JavaScript code and achieve a reflected Cross-site Scripting (XSS) attack. | |||||
| CVE-2024-36647 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| A stored cross-site scripting (XSS) vulnerability in Church CRM v5.8.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Family Name parameter under the Register a New Family page. | |||||
| CVE-2024-36599 | 1 Aegon | 1 Life Insurance Management System | 2024-11-21 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at insertClient.php. | |||||
| CVE-2024-36577 | 2024-11-21 | N/A | 8.3 HIGH | ||
| apphp js-object-resolver < 3.1.1 is vulnerable to Prototype Pollution via Module.setNestedProperty. | |||||
| CVE-2024-36453 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| Cross-site scripting vulnerability exists in session_login.cgi of Webmin versions prior to 1.970 and Usermin versions prior to 1.820. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. As a result, a webpage may be altered or sensitive information such as a credential may be disclosed. | |||||
| CVE-2024-36450 | 1 Webmin | 1 Webmin | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site scripting vulnerability exists in sysinfo.cgi of Webmin versions prior to 1.910. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product. As a result, a session ID may be obtained, a webpage may be altered, or a server may be halted. | |||||
| CVE-2024-36423 | 1 Flowiseai | 1 Flowise | 2024-11-21 | N/A | 6.1 MEDIUM |
| Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/public-chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. | |||||
| CVE-2024-36422 | 1 Flowiseai | 1 Flowise | 2024-11-21 | N/A | 6.1 MEDIUM |
| Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `api/v1/chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available. | |||||
| CVE-2024-36417 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 5.7 MEDIUM |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36413 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 8.9 HIGH |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the import module error view allows for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36397 | 1 Vantiva | 2 Mediaaccess Dga2232, Mediaaccess Dga2232 Firmware | 2024-11-21 | N/A | 6.1 MEDIUM |
| Vantiva - MediaAccess DGA2232 v19.4 - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2024-36392 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| MileSight DeviceHub - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
| CVE-2024-36384 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
| Pointsharp Cryptshare Server before 7.0.0 has an XSS issue that is related to notification messages. | |||||
| CVE-2024-36374 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
| In JetBrains TeamCity before 2024.03.2 stored XSS via build step settings was possible | |||||
| CVE-2024-36373 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
| In JetBrains TeamCity before 2024.03.2 several stored XSS in untrusted builds settings were possible | |||||
| CVE-2024-36372 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
| In JetBrains TeamCity before 2023.05.6 reflected XSS on the subscriptions page was possible | |||||
| CVE-2024-36371 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
| In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible | |||||