Total
34410 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-46081 | 1 Scriptcase | 1 Scriptcase | 2024-10-04 | 5.4 Medium |
| Scriptcase v9.10.023 and before is vulnerable to Cross Site Scripting (XSS). An authenticated user can craft malicious payloads in the To-Do List. The assigned user will trigger a stored XSS, which is particularly dangerous because tasks are assigned to various users on the platform. | ||||
| CVE-2024-47536 | 1 Starcitizentools | 1 Mediawiki-skins-citizen | 2024-10-04 | N/A |
| Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0. | ||||
| CVE-2024-46083 | 1 Scriptcase | 1 Scriptcase | 2024-10-04 | 5.4 Medium |
| Scriptcase v9.10.023 and before is vulnerable to Cross Site Scripting (XSS). An authenticated user can craft malicious payloads using the messages feature, which allows the injection of malicious code into any user's account on the platform. It is important to note that regular users can trigger actions for administrator users. | ||||
| CVE-2024-46079 | 1 Scriptcase | 1 Scriptcase | 2024-10-04 | 6.1 Medium |
| Scriptcase v9.10.023 and before is vulnerable to Cross Site Scripting (XSS) in proj_new.php via the Descricao parameter. | ||||
| CVE-2024-8718 | 2024-10-04 | 6.1 Medium | ||
| The Gravity Forms Toolbar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-9272 | 2024-10-04 | 6.4 Medium | ||
| The R Animated Icon Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-41673 | 2024-10-04 | 7.1 High | ||
| Decidim is a participatory democracy framework. The version control feature used in resources is subject to potential XSS attack through a malformed URL. This vulnerability is fixed in 0.27.8. | ||||
| CVE-2024-8989 | 2024-10-04 | 6.4 Medium | ||
| The Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stars_testimonials shortcode in all versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-8990 | 2024-10-04 | 6.4 Medium | ||
| The Geo Mashup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's geo_mashup_visible_posts_list shortcode in all versions up to, and including, 1.13.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-47612 | 2024-10-04 | 3.5 Low | ||
| DataDump is a MediaWiki extension that provides dumps of wikis. Several interface messages are unescaped (more specifically, (datadump-table-column-queued), (datadump-table-column-in-progress), (datadump-table-column-completed), (datadump-table-column-failed)). If these messages are edited (which requires the (editinterface) right by default), anyone who can view Special:DataDump (which requires the (view-dump) right by default) can be XSSed. This vulnerability is fixed with 601688ee8e8808a23b102fa305b178f27cbd226d. | ||||
| CVE-2024-41583 | 1 Draytek | 1 Vigor3910 Firmware | 2024-10-04 | 4.7 Medium |
| DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to stored Cross Site Scripting (XSS) by authenticated users due to poor sanitization of the router name. | ||||
| CVE-2024-41584 | 1 Draytek | 1 Vigor3910 Firmware | 2024-10-04 | 4.7 Medium |
| DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to reflected XSS by authenticated users, caused by missing validation of the sFormAuthStr parameter. | ||||
| CVE-2024-33210 | 1 Flatpress | 1 Flatpress | 2024-10-04 | 5.4 Medium |
| A cross-site scripting (XSS) vulnerability has been identified in Flatpress 1.3. This vulnerability allows an attacker to inject malicious scripts into web pages viewed by other users. | ||||
| CVE-2024-9174 | 2024-10-04 | N/A | ||
| Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI | ||||
| CVE-2024-45960 | 1 Tribalsystems | 1 Zenario | 2024-10-04 | 4.8 Medium |
| Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting (XSS) attack. | ||||
| CVE-2024-45964 | 1 Tribalsystems | 1 Zenario | 2024-10-04 | 4.8 Medium |
| Zenario 9.7.61188 is vulnerable to Cross Site Scripting (XSS) in the Image library via the "Organizer tags" field. | ||||
| CVE-2024-46082 | 1 Scriptcase | 1 Scriptcase | 2024-10-04 | 5.4 Medium |
| Scriptcase v.9.10.023 and before is vulnerable to Cross Site Scripting (XSS) in nm_cor.php via the form and field parameters. | ||||
| CVE-2024-45962 | 1 Octobercms | 1 October | 2024-10-04 | 4.7 Medium |
| October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted JavaScript to the target. | ||||
| CVE-2024-9279 | 1 Funnyzpc | 1 Mee-admin | 2024-10-04 | 2.4 Low |
| A vulnerability, which was classified as problematic, was found in funnyzpc Mee-Admin up to 1.6. This affects an unknown part of the file /mee/index of the component User Center. The manipulation of the argument User Nickname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-43986 | 1 Mage-people | 1 Ecab Taxi Booking Manager | 2024-10-04 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Stored XSS.This issue affects Taxi Booking Manager for WooCommerce: through 1.0.9. | ||||