Export limit exceeded: 47282 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (47282 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-5688 1 Modoboa 1 Modoboa 2024-11-21 5.4 Medium
Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.
CVE-2023-5653 1 Wassup Real Time Analytics Project 1 Wassup Real Time Analytics 2024-11-21 6.1 Medium
The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 does not escape IP address provided via some headers before outputting them back in an admin page, allowing unauthenticated users to perform Stored XSS attacks against logged in admins
CVE-2023-5641 1 Martinstools 1 Free \& Easy Link Building 2024-11-21 6.1 Medium
The Martins Free & Easy SEO BackLink Link Building Network WordPress plugin before 1.2.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVE-2023-5620 1 Webpushr 1 Web Push Notifications 2024-11-21 5.4 Medium
The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks.
CVE-2023-5609 1 S-sols 1 Seraphinite Accelerator 2024-11-21 6.1 Medium
The Seraphinite Accelerator WordPress plugin before 2.2.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVE-2023-5605 1 Kaizencoders 1 Url Shortify 2024-11-21 4.8 Medium
The URL Shortify WordPress plugin before 1.7.9.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2023-5599 1 Dassault 2 3dswymer 3dexperience 2022, 3dswymer 3dexperience 2023 2024-11-21 5.4 Medium
A stored Cross-site Scripting (XSS) vulnerability affecting 3DDashboard in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2023x allows an attacker to execute arbitrary script code.
CVE-2023-5598 1 Dassault 2 3dswymer 3dexperience 2022, 3dswymer 3dexperience 2023 2024-11-21 5.4 Medium
Stored Cross-site Scripting (XSS) vulnerabilities affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2023x allow an attacker to execute arbitrary script code.
CVE-2023-5585 1 Oretnom23 1 Online Motorcycle \(bike\) Rental System 2024-11-21 2.4 Low
A vulnerability was found in SourceCodester Online Motorcycle Rental System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/?page=bike of the component Bike List. The manipulation of the argument Model with the input "><script>confirm (document.cookie)</script> leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-242170 is the identifier assigned to this vulnerability.
CVE-2023-5581 1 Oretnom23 1 Medicine Tracker System 2024-11-21 3.5 Low
A vulnerability classified as problematic was found in SourceCodester Medicine Tracker System 1.0. This vulnerability affects unknown code of the file index.php. The manipulation of the argument page leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-242146 is the identifier assigned to this vulnerability.
CVE-2023-5564 1 Froxlor 1 Froxlor 2024-11-21 4.8 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxlor prior to 2.1.0-dev1.
CVE-2023-5562 1 Knime 1 Knime Analytics Platform 2024-11-21 6.1 Medium
An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by default. If the data to be displayed contains JavaScript this code is executed in the browser and can perform any operations that the current user is allowed to perform silently. KNIME Analytics Platform already has configuration options with which sanitization of data can be actived, see https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal https://docs.knime.com/latest/webportal_admin_guide/index.html#html-sanitization-webportal . However, these are off by default which allows for cross-site scripting attacks. KNIME Analytics Platform 5.2.0 will enable sanitization by default. For all previous releases we recommend users to add the corresponding settings to the executor's knime.ini.
CVE-2023-5558 1 Thimpress 1 Learnpress 2024-11-21 6.1 Medium
The LearnPress WordPress plugin before 4.2.5.5 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2023-5556 1 Structurizr 1 On-premises Installation 2024-11-21 6.1 Medium
Cross-site Scripting (XSS) - Reflected in GitHub repository structurizr/onpremises prior to 3194.
CVE-2023-5547 3 Fedoraproject, Moodle, Redhat 3 Fedora, Moodle, Enterprise Linux 2024-11-21 3.3 Low
The course upload preview contained an XSS risk for users uploading unsafe data.
CVE-2023-5546 3 Fedoraproject, Moodle, Redhat 3 Fedora, Moodle, Enterprise Linux 2024-11-21 4.3 Medium
ID numbers displayed in the quiz grading report required additional sanitizing to prevent a stored XSS risk.
CVE-2023-5544 3 Fedoraproject, Moodle, Redhat 3 Fedora, Moodle, Enterprise Linux 2024-11-21 6.5 Medium
Wiki comments required additional sanitizing and access restrictions to prevent a stored XSS risk and potential IDOR risk.
CVE-2023-5541 1 Moodle 1 Moodle 2024-11-21 3.3 Low
The CSV grade import method contained an XSS risk for users importing the spreadsheet, if it contained unsafe content.
CVE-2023-5530 1 Ninjaforms 1 Ninja Forms 2024-11-21 4.8 Medium
The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue
CVE-2023-5458 1 Ashik 1 Cits Support Svg\, Webp Media And Ttf\,otf File Upload 2024-11-21 5.4 Medium
The CITS Support svg, webp Media and TTF,OTF File Upload WordPress plugin before 3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.