Export limit exceeded: 45286 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45286 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-41960 | 1 Mailcow | 1 Mailcow\ | 2024-09-19 | 3.8 Low |
| mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user's browser. This could lead to data theft, or further exploitation. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-34343 | 1 Nuxt | 1 Nuxt | 2024-09-19 | 6.3 Medium |
| Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. The `navigateTo` function attempts to blockthe `javascript:` protocol, but does not correctly use API's provided by `unjs/ufo`. This library also contains parsing discrepancies. The function first tests to see if the specified URL has a protocol. This uses the unjs/ufo package for URL parsing. This function works effectively, and returns true for a javascript: protocol. After this, the URL is parsed using the parseURL function. This function will refuse to parse poorly formatted URLs. Parsing javascript:alert(1) returns null/"" for all values. Next, the protocol of the URL is then checked using the isScriptProtocol function. This function simply checks the input against a list of protocols, and does not perform any parsing. The combination of refusing to parse poorly formatted URLs, and not performing additional parsing means that script checks fail as no protocol can be found. Even if a protocol was identified, whitespace is not stripped in the parseURL implementation, bypassing the isScriptProtocol checks. Certain special protocols are identified at the top of parseURL. Inserting a newline or tab into this sequence will block the special protocol check, and bypass the latter checks. This ONLY has impact after SSR has occured, the `javascript:` protocol within a location header does not trigger XSS. This issue has been addressed in release version 3.12.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-31414 | 1 Eaton | 1 Foreseer Electrical Power Monitoring System | 2024-09-19 | 6.7 Medium |
| The Eaton Foreseer software provides users the capability to customize the dashboard in WebView pages. However, the input fields for this feature in the Eaton Foreseer software lacked proper input sanitization on the server-side, which could lead to injection and execution of malicious scripts when abused by bad actors. | ||||
| CVE-2024-45400 | 1 Mlewand | 1 Open Link | 2024-09-19 | 6.1 Medium |
| ckeditor-plugin-openlink is a plugin for the CKEditor JavaScript text editor that extends the context menu with a possibility to open a link in a new tab. A vulnerability in versions of the plugin prior to 1.0.7 allowed a user to execute JavaScript code by abusing the link href attribute. The fix is available starting with version 1.0.7. | ||||
| CVE-2024-35118 | 1 Ibm | 2 Maas360, Maas360 Mdm | 2024-09-19 | 4.6 Medium |
| IBM MaaS360 for Android 6.31 through 8.60 is using hard coded credentials that can be obtained by a user with physical access to the device. | ||||
| CVE-2024-7269 | 1 Connx | 1 Esp Hr Management | 2024-09-19 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation vulnerability in "Update of Personal Details" form in ConnX ESP HR Management allows Stored XSS attack. An attacker might inject a script to be run in user's browser. After multiple attempts to contact the vendor we did not receive any answer. The finder provided the information that this issue affects ESP HR Management versions before 6.6. | ||||
| CVE-2021-22503 | 1 Microfocus | 1 Edirectory | 2024-09-19 | 5.4 Medium |
| Possible Improper Neutralization of Input During Web Page Generation Vulnerability in eDirectory has been discovered in OpenText™ eDirectory 9.2.3.0000. | ||||
| CVE-2024-6656 | 2 Tnb Mobile Solutions, Tnbmobil | 2 Cockpit Software, Cockpit | 2024-09-19 | 9.8 Critical |
| Use of Hard-coded Credentials vulnerability in TNB Mobile Solutions Cockpit Software allows Read Sensitive Strings Within an Executable.This issue affects Cockpit Software: before v2.13. | ||||
| CVE-2024-8783 | 1 Opentibiabr | 1 Myaac | 2024-09-19 | 3.5 Low |
| A vulnerability classified as problematic has been found in OpenTibiaBR MyAAC up to 0.8.16. Affected is an unknown function of the file system/pages/forum/new_post.php of the component Post Reply Handler. The manipulation of the argument post_topic leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as bf6ae3df0d32fa22552bb44ca4f8489a6e78cc1c. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2021-38131 | 1 Microfocus | 1 Edirectory | 2024-09-18 | 5.4 Medium |
| Possible Cross-Site Scripting (XSS) Vulnerability in eDirectory has been discovered in OpenText™ eDirectory 9.2.5.0000. | ||||
| CVE-2024-8750 | 1 I-doit | 1 I-doit | 2024-09-18 | 5.4 Medium |
| Cross-site Scripting (XSS) vulnerability in idoit pro version 28. This vulnerability allows an attacker to retrieve session details of an authenticated user due to lack of proper sanitization of the following parameters (id,lang,mNavID,name,pID,treeNode,type,view). | ||||
| CVE-2024-34335 | 1 Ordat | 2 Foss-online, Ordat.erp | 2024-09-18 | 6.1 Medium |
| ORDAT FOSS-Online before version 2.24.01 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the login page. | ||||
| CVE-2024-45303 | 1 Discourse | 1 Calendar | 2024-09-18 | 6.1 Medium |
| Discourse Calendar plugin adds the ability to create a dynamic calendar in the first post of a topic to Discourse. Rendering event names can be susceptible to XSS attacks. This vulnerability only affects sites which have modified or disabled Discourse’s default Content Security Policy. The issue is patched in version 0.5 of the Discourse Calendar plugin. | ||||
| CVE-2024-45788 | 1 Reedos | 1 Aim-star | 2024-09-18 | 7.5 High |
| This vulnerability exists in Reedos aiM-Star version 2.0.1 due to missing rate limiting on OTP requests in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoints which could lead to the OTP bombing/flooding on the targeted system. | ||||
| CVE-2024-8708 | 1 Mayurik | 1 Best House Rental Management System | 2024-09-18 | 3.5 Low |
| A vulnerability was found in SourceCodester Best House Rental Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file categories.php. The manipulation leads to cross site scripting. The attack may be initiated remotely. | ||||
| CVE-2024-8144 | 1 Classcms | 1 Classcms | 2024-09-18 | 3.5 Low |
| A vulnerability classified as problematic was found in ClassCMS 4.8. Affected by this vulnerability is an unknown functionality of the file /index.php/admin of the component Logo Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-43327 | 1 Teleogistic | 1 Invite Anyone | 2024-09-18 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Boone Gorges Invite Anyone allows Reflected XSS.This issue affects Invite Anyone: from n/a through 1.4.7. | ||||
| CVE-2024-8145 | 1 Classcms | 1 Classcms | 2024-09-18 | 2.4 Low |
| A vulnerability, which was classified as problematic, has been found in ClassCMS 4.8. Affected by this issue is some unknown functionality of the file /index.php/admin of the component Article Handler. The manipulation of the argument Title leads to basic cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-4207 | 1 Gitlab | 1 Gitlab | 2024-09-18 | 4.4 Medium |
| A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances. | ||||
| CVE-2024-43324 | 1 Cleversoft | 1 Clever Addons For Elementor | 2024-09-17 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CleverSoft Clever Addons for Elementor allows Stored XSS.This issue affects Clever Addons for Elementor: from n/a through 2.2.0. | ||||