Total
34649 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23520 | 2 Debian, Rubyonrails | 2 Debian Linux, Rails Html Sanitizers | 2025-02-13 | N/A | 6.1 MEDIUM |
| rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version 1.4.4. All users overriding the allowed tags to include both "select" and "style" should either upgrade or use this workaround: Remove either "select" or "style" from the overridden allowed tags. NOTE: Code is _not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize. | |||||
| CVE-2020-21487 | 1 Netgate | 2 Pfsense, Pfsense Acme Package | 2025-02-13 | N/A | 9.6 CRITICAL |
| Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php. | |||||
| CVE-2020-19277 | 1 Mm-wiki Project | 1 Mm-wiki | 2025-02-13 | N/A | 5.4 MEDIUM |
| Cross Site Scripting vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via javascript code in the markdown editor. | |||||
| CVE-2024-27103 | 1 Pinterest | 1 Querybook | 2025-02-13 | N/A | 6.1 MEDIUM |
| Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. While the input to dangerouslySetInnerHTML is not sanitized for the data inside of queries which leads to an XSS vulnerability. During the "query auto-suggestion" the name of the suggested tables are set with innerHTML which leads to the XSS vulnerability. A patch to rectify this issue has been introduced in Querybook version 3.31.2. | |||||
| CVE-2024-26143 | 1 Rubyonrails | 1 Rails | 2025-02-13 | N/A | 6.1 MEDIUM |
| Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1. | |||||
| CVE-2024-13830 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-02-13 | N/A | 6.1 MEDIUM |
| Reflected XSS in Ivanti Connect Secure before version 22.7R2.6 and Ivanti Policy Secure before version 22.7R1.3 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required. | |||||
| CVE-2024-2738 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2025-02-13 | N/A | N/A |
| The Permalink Manager Lite and Pro plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the āsā parameter in multiple instances in all versions up to, and including, 2.4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-0604 | 1 Fooplugins | 1 Foogallery | 2025-02-13 | N/A | 4.8 MEDIUM |
| The Best WordPress Gallery Plugin ā FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
| CVE-2024-1447 | 1 Athemes | 1 Sydney Toolbox | 2025-02-13 | N/A | 5.4 MEDIUM |
| The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aThemes Slider button element in all versions up to, and including, 1.25 due to insufficient input sanitization and output escaping on user supplied link. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1049 | 1 Godaddy | 1 Coblocks | 2025-02-13 | N/A | 5.4 MEDIUM |
| The Page Builder Gutenberg Blocks ā CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Icon Widget's in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping on the link value. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-1697 | 1 Themelocation | 1 Custom Woocommerce Checkout Fields Editor | 2025-02-13 | N/A | 5.4 MEDIUM |
| The Custom WooCommerce Checkout Fields Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the save_wcfe_options function in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-2202 | 1 Siteorigin | 1 Page Builder | 2025-02-13 | N/A | 5.4 MEDIUM |
| The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the legacy Image widget in all versions up to, and including, 2.29.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-2936 | 1 Athemes | 1 Sydney Toolbox | 2025-02-13 | N/A | 5.4 MEDIUM |
| The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id attribute of widgets in all versions up to, and including, 1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-26777 | 1 Uptime Kuma Project | 1 Uptime Kuma | 2025-02-13 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability found in : louislam Uptime Kuma v.1.19.6 and before allows a remote attacker to execute arbitrary commands via the description, title, footer, and incident creation parameter of the status_page.js endpoint. | |||||
| CVE-2023-0835 | 1 Markdown-pdf Project | 1 Markdown-pdf | 2025-02-13 | N/A | 8.2 HIGH |
| markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user. | |||||
| CVE-2023-0738 | 1 Orangescrum | 1 Orangescrum | 2025-02-13 | N/A | 6.1 MEDIUM |
| OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html. | |||||
| CVE-2023-26776 | 1 Monitorr | 1 Monitorr | 2025-02-13 | N/A | 6.1 MEDIUM |
| Cross Site Scripting vulnerability found in Monitorr v.1.7.6 allows a remote attacker to execute arbitrary code via the title parameter of the post_receiver-services.php file. | |||||
| CVE-2011-4595 | 1 Caseproof | 1 Prettylinks | 2025-02-13 | 4.3 MEDIUM | 6.1 MEDIUM |
| Pretty-Link WordPress plugin 1.5.2 has XSS | |||||
| CVE-2013-1636 | 3 Caseproof, Civicrm, Joobi | 3 Prettylinks, Civicrm, Com Jnews | 2025-02-13 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in open-flash-chart.swf in Open Flash Chart (aka Open-Flash Chart), as used in the Pretty Link Lite plugin before 1.6.3 for WordPress, JNews (com_jnews) component 8.0.1 for Joomla!, and CiviCRM 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, allows remote attackers to inject arbitrary web script or HTML via the get-data parameter. | |||||
| CVE-2024-5933 | 1 Lollms | 1 Lollms Web Ui | 2025-02-13 | N/A | 5.4 MEDIUM |
| A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This vulnerability allows an attacker to inject malicious scripts via chat messages, which are then executed in the context of the user's browser. | |||||