Export limit exceeded: 360766 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (46898 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-49782 1 Collaboraoffice 1 Richdocumentscode 2024-11-21 7.1 High
Collabora Online is a collaborative online office suite based on LibreOffice technology. Users of Nextcloud with `Collabora Online - Built-in CODE Server` app can be vulnerable to attack via proxy.php. The bug was fixed in Collabora Online - Built-in CODE Server (richdocumentscode) release 23.5.601. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-49779 1 Weseek 1 Growi 2024-11-21 5.4 Medium
Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
CVE-2023-49598 1 Weseek 1 Growi 2024-11-21 5.4 Medium
Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
CVE-2023-49577 1 Sap 1 Human Capital Management 2024-11-21 6.1 Medium
The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.
CVE-2023-49563 1 Voltronicpower 1 Snmp Web Pro 2024-11-21 6.1 Medium
Cross Site Scripting (XSS) in Voltronic Power SNMP Web Pro v.1.1 allows an attacker to execute arbitrary code via a crafted script within a request to the webserver.
CVE-2023-49494 1 Dedecms 1 Dedecms 2024-11-21 6.1 Medium
DedeCMS v5.7.111 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component select_media_post_wangEditor.php.
CVE-2023-49492 1 Dedecms 1 Dedecms 2024-11-21 6.1 Medium
DedeCMS v5.7.111 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the imgstick parameter at selectimages.php.
CVE-2023-49488 1 Openfiler 1 Openfiler 2024-11-21 6.1 Medium
A cross-site scripting (XSS) vulnerability in Openfiler ESA v2.99.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the nic parameter.
CVE-2023-49487 1 Jfinalcms Project 1 Jfinalcms 2024-11-21 5.4 Medium
JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the navigation management department.
CVE-2023-49486 1 Jfinalcms Project 1 Jfinalcms 2024-11-21 5.4 Medium
JFinalCMS v5.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the model management department.
CVE-2023-49484 1 Iteachyou 1 Dreamer Cms 2024-11-21 5.4 Medium
Dreamer CMS v4.1.3 was discovered to contain a cross-site scripting (XSS) vulnerability in the article management department.
CVE-2023-49469 1 Shaarli Project 1 Shaarli 2024-11-21 6.1 Medium
Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, allows remote attackers to execute arbitrary code via search tag function.
CVE-2023-49444 1 Html-js 1 Doracms 2024-11-21 5.4 Medium
An arbitrary file upload vulnerability in DoraCMS v2.1.8 allow attackers to execute arbitrary code via uploading a crafted HTML or image file to the user avatar.
CVE-2023-49296 1 Arduino 1 Create Agent 2024-11-21 6.3 Medium
The Arduino Create Agent allows users to use the Arduino Create applications to upload code to any USB connected Arduino board directly from the browser. A vulnerability in versions prior to 1.3.6 affects the endpoint `/certificate.crt` and the way the web interface of the ArduinoCreateAgent handles custom error messages. An attacker that is able to persuade a victim into clicking on a malicious link can perform a Reflected Cross-Site Scripting attack on the web interface of the create agent, which would allow the attacker to execute arbitrary browser client side code. Version 1.3.6 contains a fix for the issue.
CVE-2023-49289 1 Michaelschwarz 1 Ajax.net Professional 2024-11-21 6.3 Medium
Ajax.NET Professional (AjaxPro) is an AJAX framework for Microsoft ASP.NET which will create proxy JavaScript classes that are used on client-side to invoke methods on the web server. Affected versions of this package are vulnerable cross site scripting attacks. Releases before version 21.12.22.1 are affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-49279 1 Umbraco 1 Umbraco Cms 2024-11-21 3.7 Low
Umbraco is an ASP.NET content management system (CMS). Starting in version 7.0.0 and prior to versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0, a user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. Versions 7.15.11, 8.18.9, 10.7.0, 11.5.0, and 12.2.0 contain a patch for this issue. Some workarounds are available. Implement the server side file validation or serve all media from an different host (e.g cdn) than where Umbraco is hosted.
CVE-2023-49277 1 Darrennathanael 1 Dpaste 2024-11-21 8.3 High
dpaste is an open source pastebin application written in Python using the Django framework. A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to unauthorized access, data theft, or other malicious activities. Users are strongly advised to upgrade to dpaste release v3.8 or later versions, as dpaste versions older than v3.8 are susceptible to the identified security vulnerability. No known workarounds have been identified, and applying the patch is the most effective way to remediate the vulnerability.
CVE-2023-49276 1 Uptime.kuma 1 Uptime Kuma 2024-11-21 6.3 Medium
Uptime Kuma is an open source self-hosted monitoring tool. In affected versions the Google Analytics element in vulnerable to Attribute Injection leading to Cross-Site-Scripting (XSS). Since the custom status interface can set an independent Google Analytics ID and the template has not been sanitized, there is an attribute injection vulnerability here, which can lead to XSS attacks. This vulnerability has been addressed in commit `f28dccf4e` which is included in release version 1.23.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-49216 1 Usedesk 1 Usedesk 2024-11-21 5.4 Medium
Usedesk before 1.7.57 allows profile stored XSS.
CVE-2023-49188 1 Zealousweb 1 Track Geolocation Of Users Using Contact Form 7 2024-11-21 5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZealousWeb Track Geolocation Of Users Using Contact Form 7 allows Stored XSS.This issue affects Track Geolocation Of Users Using Contact Form 7: from n/a through 2.0.