Export limit exceeded: 344044 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 45339 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45339 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11126 | 2024-11-12 | 3.1 Low | ||
| A vulnerability was found in Digistar AG-30 Plus 2.6b. It has been classified as problematic. Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of excessive authentication attempts. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-51213 | 2024-11-12 | 6.1 Medium | ||
| Cross Site Scripting vulnerability in Online Shop Store v.1.0 allows a remote attacker to execute arbitrary code via the login.php component. | ||||
| CVE-2024-51026 | 1 Netadmin | 1 Netadmin | 2024-11-12 | 5.4 Medium |
| The NetAdmin IAM system (version 4.0.30319) has a Cross Site Scripting (XSS) vulnerability in the /BalloonSave.ashx endpoint, where it is possible to inject a malicious payload into the Content= field. | ||||
| CVE-2024-51135 | 1 Powertac-server | 1 Powertac-server | 2024-11-12 | 9.8 Critical |
| An XML External Entity (XXE) vulnerability in the component DocumentBuilderFactory of powertac-server v1.9.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities. | ||||
| CVE-2024-47590 | 1 Sap | 1 Web Dispatcher | 2024-11-12 | 8.8 High |
| An unauthenticated attacker can create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, input data will be used by the web site page generation to create content which when executed in the victim's browser (XXS) or transmitted to another server (SSRF) gives the attacker the ability to execute arbitrary code on the server fully compromising confidentiality, integrity and availability. | ||||
| CVE-2024-50601 | 1 Axigen | 1 Axigen Mail Server | 2024-11-12 | 6.1 Medium |
| Persistent and reflected XSS vulnerabilities in the themeMode cookie and _h URL parameter of Axigen Mail Server up to version 10.5.28 allow attackers to execute arbitrary Javascript. Exploitation could lead to session hijacking, data leakage, and further exploitation via a multi-stage attack. Fixed in versions 10.3.3.67, 10.4.42, and 10.5.29. | ||||
| CVE-2020-11859 | 1 Microfocus | 1 Imanager | 2024-11-08 | 7.6 High |
| Improper Input Validation vulnerability in OpenText iManager allows Cross-Site Scripting (XSS). This issue affects iManager before 3.2.3 | ||||
| CVE-2024-10926 | 1 Ibphoenix | 1 Ibwebadmin | 2024-11-08 | 3.5 Low |
| A vulnerability was found in IBPhoenix ibWebAdmin up to 1.0.2 and classified as problematic. This issue affects some unknown processing of the file /toggle_fold_panel.php of the component Tabelas Section. The manipulation of the argument p leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-51757 | 1 Capricorn86 | 1 Happy-dom | 2024-11-08 | N/A |
| happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-51989 | 1 Apnotic Llc | 1 Passwordpusher | 2024-11-08 | 7.1 High |
| Password Pusher is an open source application to communicate sensitive information over the web. A cross-site scripting (XSS) vulnerability was identified in the PasswordPusher application, affecting versions `v1.41.1` through and including `v.1.48.0`. The issue arises from an un-sanitized parameter which could allow attackers to inject malicious JavaScript into the application. Users who self-host and have the login system enabled are affected. Exploitation of this vulnerability could expose user data, access to user sessions or take unintended actions on behalf of users. To exploit this vulnerability, an attacker would need to convince a user to click a malicious account confirmation link. It is highly recommended to update to version `v1.48.1` or later to mitigate this risk. There are no known workarounds for this vulnerability. ### Solution Update to version `v1.48.1` or later where input sanitization has been applied to the account confirmation process. If updating is not immediately possible, | ||||
| CVE-2024-36064 | 1 Nllcom | 1 Acr Phone | 2024-11-08 | 6.2 Medium |
| The NLL com.nll.cb (aka ACR Phone) application through 0.330-playStore-NoAccessibility-arm8 for Android allows any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.nll.cb.dialer.dialer.DialerActivity component. | ||||
| CVE-2024-51434 | 1 Froala | 1 Wysiwyg Editon | 2024-11-08 | 6.1 Medium |
| Inconsistent <plaintext> tag parsing allows for XSS in Froala WYSIWYG editor 4.3.0 and earlier. | ||||
| CVE-2024-47826 | 1 Elabftw | 1 Elabftw | 2024-11-08 | 3.5 Low |
| eLabFTW is an open source electronic lab notebook for research labs. A vulnerability in versions prior to 5.1.5 allows an attacker to inject arbitrary HTML tags in the pages: "experiments.php" (show mode), "database.php" (show mode) or "search.php". It works by providing HTML code in the extended search string, which will then be displayed back to the user in the error message. This means that injected HTML will appear in a red "alert/danger" box, and be part of an error message. Due to some other security measures, it is not possible to execute arbitrary javascript from this attack. As such, this attack is deemed low impact. Users should upgrade to at least version 5.1.5 to receive a patch. No known workarounds are available. | ||||
| CVE-2024-51557 | 1 63moons | 2 Aero, Wave 2.0 | 2024-11-08 | 6.5 Medium |
| This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system. | ||||
| CVE-2024-50335 | 1 Salesagility | 1 Suitecrm | 2024-11-08 | 4.9 Medium |
| SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. The "Publish Key" field in SuiteCRM's Edit Profile page is vulnerable to Reflected Cross-Site Scripting (XSS), allowing an attacker to inject malicious JavaScript code. This can be exploited to steal CSRF tokens and perform unauthorized actions, such as creating new administrative users without proper authentication. The vulnerability arises due to insufficient input validation and sanitization of the Publish Key field within the SuiteCRM application. When an attacker injects a malicious script, it gets executed within the context of an authenticated user's session. The injected script (o.js) then leverages the captured CSRF token to forge requests that create new administrative users, effectively compromising the integrity and security of the CRM instance. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-43967 | 1 Starkdigital | 1 Wp Testimonial Widget | 2024-11-08 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Stark Digital WP Testimonial Widget allows Stored XSS.This issue affects WP Testimonial Widget: from n/a through 3.1. | ||||
| CVE-2024-10503 | 1 Klokantech | 1 Maptiler Tileserver Gl | 2024-11-07 | 3.5 Low |
| A vulnerability was found in Klokan MapTiler tileserver-gl 2.3.1 and classified as problematic. This issue affects some unknown processing of the component URL Handler. The manipulation of the argument key leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-10840 | 1 Romadebrian | 1 Web-sekolah | 2024-11-06 | 2.4 Low |
| A vulnerability classified as problematic has been found in romadebrian WEB-Sekolah 1.0. Affected is an unknown function of the file /Admin/akun_edit.php of the component Backend. The manipulation of the argument kode leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-10842 | 1 Romadebrian | 1 Web-sekolah | 2024-11-06 | 2.4 Low |
| A vulnerability, which was classified as problematic, has been found in romadebrian WEB-Sekolah 1.0. Affected by this issue is some unknown functionality of the file /Admin/Proses_Edit_Akun.php of the component Backend. The manipulation of the argument Username_Baru/Password leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-51685 | 1 Migaweb | 1 Accordion Title For Elementor | 2024-11-06 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Michael Gangolf Accordion title for Elementor allows Stored XSS.This issue affects Accordion title for Elementor: from n/a through 1.2.1. | ||||