Total
39827 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6581 | 2 Lollms, Parisneo | 2 Lord Of Large Language Models, Lollms | 2024-11-01 | 9.0 Critical |
| A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file. | ||||
| CVE-2024-49660 | 1 Campusexplorer | 1 Widget | 2024-11-01 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Campus Explorer Campus Explorer Widget allows Reflected XSS.This issue affects Campus Explorer Widget: from n/a through 1.4. | ||||
| CVE-2024-49661 | 1 Leenk | 1 Leenk.me | 2024-11-01 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lew Ayotte leenk.Me allows Reflected XSS.This issue affects leenk.Me: from n/a through 2.16.0. | ||||
| CVE-2024-49662 | 1 Webgensis | 1 Simple Load More | 2024-11-01 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Webgensis Simple Load More allows Reflected XSS.This issue affects Simple Load More: from n/a through 1.0. | ||||
| CVE-2024-49663 | 1 Elenazhyvohliad | 1 Ucat | 2024-11-01 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Elena Zhyvohliad uCAT – Next Story allows Reflected XSS.This issue affects uCAT – Next Story: from n/a through 2.0.0. | ||||
| CVE-2024-49665 | 1 Webbricks | 1 Web Bricks Addons | 2024-11-01 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Web Bricks Web Bricks Addons for Elementor allows Stored XSS.This issue affects Web Bricks Addons for Elementor: from n/a through 1.1.1. | ||||
| CVE-2024-49667 | 1 Nervythemes | 1 Local Business Addons For Elementor | 2024-11-01 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in NervyThemes Local Business Addons For Elementor allows Stored XSS.This issue affects Local Business Addons For Elementor: from n/a through 1.1.5. | ||||
| CVE-2024-6361 | 1 Opentext | 1 Alm Octane | 2024-11-01 | 5.4 Medium |
| Improper Neutralization vulnerability (XSS) has been discovered in OpenText™ ALM Octane. The vulnerability affects all version prior to version 23.4. The vulnerability could cause remote code execution attack. | ||||
| CVE-2024-9219 | 1 Maxfoundry | 1 Social Share Buttons | 2024-11-01 | 6.1 Medium |
| The WordPress Social Share Buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.19. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-20341 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense Software | 2024-11-01 | 6.1 Medium |
| A vulnerability in the VPN web client services feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a browser that is accessing an affected device. This vulnerability is due to improper validation of user-supplied input to application endpoints. An attacker could exploit this vulnerability by persuading a user to follow a link designed to submit malicious input to the affected application. A successful exploit could allow the attacker to execute arbitrary HTML or script code in the browser in the context of the web services page. | ||||
| CVE-2024-49651 | 1 Mattroyal | 1 Woocommerce Maintenance Mode | 2024-11-01 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Matt Royal WooCommerce Maintenance Mode allows Reflected XSS.This issue affects WooCommerce Maintenance Mode: from n/a through 2.0.1. | ||||
| CVE-2024-42515 | 1 Pebbleroad | 1 Glossarizer | 2024-11-01 | 9.9 Critical |
| Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the underlying library converts these encoded characters into legitimate HTML, thereby possibly causing stored XSS. Attackers can append a XSS payload to a word that has a corresponding glossary entry. | ||||
| CVE-2024-9897 | 1 Streamweasels | 1 Twitch Integration | 2024-11-01 | 6.4 Medium |
| The StreamWeasels Twitch Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-twitch-embed shortcode in all versions up to, and including, 1.8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2022-23861 | 1 Ysoft | 1 Safeq | 2024-11-01 | 6.1 Medium |
| Multiple Stored Cross-Site Scripting vulnerabilities were discovered in Y Soft SAFEQ 6 Build 53. Multiple fields in the YSoft SafeQ web application can be used to inject malicious inputs that, due to a lack of output sanitization, result in the execution of arbitrary JS code. These fields can be leveraged to perform XSS attacks on legitimate users accessing the SafeQ web interface. | ||||
| CVE-2024-10232 | 2024-11-01 | 6.4 Medium | ||
| The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atomchat shortcode in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-10652 | 2024-11-01 | 6.1 Medium | ||
| IDExpert from CHANGING Information Technology does not properly validate a parameter for a specific functionality, allowing unauthenticated remote attackers to inject JavsScript code and perform Reflected Cross-site scripting attacks. | ||||
| CVE-2024-48461 | 1 Telsalogger | 1 Admin Panel | 2024-11-01 | 4.8 Medium |
| Cross Site Scripting vulnerability in TeslaLogger Admin Panel before v.1.59.6 allows a remote attacker to execute arbitrary code via the New Journey field. | ||||
| CVE-2024-10108 | 2024-11-01 | 7.2 High | ||
| The WPAdverts – Classifieds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's adverts_add shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-31973 | 1 Hitrontech | 1 Coda-4582u Firmware | 2024-11-01 | 5.2 Medium |
| Hitron CODA-4582 2AHKM-CODA4589 7.2.4.5.1b8 devices allow a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via the 'Network Name (SSID)' input fields to the /index.html#wireless_basic page. | ||||
| CVE-2024-9165 | 2024-11-01 | 6.4 Medium | ||
| The Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||