CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-79

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2023-23687 79 XSS 2023-01-23 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
Auth. Stored Cross-Site Scripting (XSS) vulnerability in Youtube shortcode <= 1.8.5 versions.
2 CVE-2023-23637 79 XSS 2023-01-17 2023-01-25
0.0
None ??? ??? ??? ??? ??? ???
IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder. This may allow attackers to steal Protected Health Information.
3 CVE-2023-23491 79 XSS 2023-01-20 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
The Quick Event Manager WordPress Plugin, version < 9.7.5, is affected by a reflected cross-site scripting vulnerability in the 'category' parameter of its 'qem_ajax_calendar' action.
4 CVE-2023-23024 79 XSS 2023-01-20 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the writer parameter.
5 CVE-2023-23015 79 XSS 2023-01-20 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
Cross Site Scripting (XSS) vulnerability in Kalkun 0.8.0 via username input in file User_model.php.
6 CVE-2023-22911 79 XSS 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context.
7 CVE-2023-22910 79 XSS 2023-01-20 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability.
8 CVE-2023-22725 79 XSS 2023-01-26 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6.
9 CVE-2023-22724 79 XSS 2023-01-26 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6.
10 CVE-2023-22722 79 XSS 2023-01-26 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patched in version 10.0.6.
11 CVE-2023-22721 79 XSS 2023-01-23 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
Auth. Stored Cross-Site Scripting (XSS) in Oi Yandex.Maps for WordPress <= 3.2.7 versions.
12 CVE-2023-22594 79 XSS 2023-01-18 2023-01-18
0.0
None ??? ??? ??? ??? ??? ???
IBM Robotic Process Automation for Cloud Pak 20.12.0 through 21.0.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 244075.
13 CVE-2023-22491 79 XSS 2023-01-13 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Gatsby is a free and open source framework based on React that helps developers build websites and apps. The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present in gatsby-transformer-remark when passing input in data mode (querying MarkdownRemark nodes via GraphQL). Injected JavaScript executes in the context of the build server. To exploit this vulnerability untrusted/unsanitized input would need to be sourced by or added into a file processed by gatsby-transformer-remark. A patch has been introduced in `[email protected]` and `[email protected]` which mitigates the issue by disabling the `gray-matter` JavaScript Frontmatter engine. As a workaround, if an older version of `gatsby-transformer-remark` must be used, input passed into the plugin should be sanitized ahead of processing. It is encouraged for projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner.
14 CVE-2023-22475 79 XSS 2023-01-06 2023-01-12
0.0
None ??? ??? ??? ??? ??? ???
Canarytokens is an open source tool which helps track activity and actions on your network. A Cross-Site Scripting vulnerability was identified in the history page of triggered Canarytokens prior to sha-fb61290. An attacker who discovers an HTTP-based Canarytoken (a URL) can use this to execute Javascript in the Canarytoken's trigger history page (domain: canarytokens.org) when the history page is later visited by the Canarytoken's creator. This vulnerability could be used to disable or delete the affected Canarytoken, or view its activation history. It might also be used as a stepping stone towards revealing more information about the Canarytoken's creator to the attacker. For example, an attacker could recover the email address tied to the Canarytoken, or place Javascript on the history page that redirect the creator towards an attacker-controlled Canarytoken to show the creator's network location. This vulnerability is similar to CVE-2022-31113, but affected parameters reported differently from the Canarytoken trigger request. An attacker could only act on the discovered Canarytoken. This issue did not expose other Canarytokens or other Canarytoken creators. Canarytokens Docker images sha-fb61290 and later contain a patch for this issue.
15 CVE-2023-22468 79 XSS 2023-01-26 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
Discourse is an open source platform for community discussion. Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed), are vulnerable to cross-site Scripting. A maliciously crafted URL can be included in a post to carry out cross-site scripting attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. This vulnerability is patched in versions 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed). As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse.
16 CVE-2023-22464 79 XSS 2023-01-04 2023-01-11
0.0
None ??? ??? ??? ??? ??? ???
ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format "html"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else "copyfrom path" names will be doubly escaped.)
17 CVE-2023-22461 79 XSS 2023-01-04 2023-01-10
0.0
None ??? ??? ??? ??? ??? ???
The `sanitize-svg` package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal `<script>`-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workarounds
18 CVE-2023-22456 79 XSS 2023-01-03 2023-01-11
0.0
None ??? ??? ??? ??? ??? ???
ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format "html"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.)
19 CVE-2023-22455 79 XSS 2023-01-05 2023-01-11
0.0
None ??? ??? ??? ??? ??? ???
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, tag descriptions, which can be updated by moderators, can be used for cross-site scripting attacks. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. Versions 2.8.14 and 3.0.0.beta16 contain a patch.
20 CVE-2023-22454 79 XSS 2023-01-05 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, pending post titles can be used for cross-site scripting attacks. Pending posts can be created by unprivileged users when a category has the "require moderator approval of all new topics" setting set. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. A patch is available in versions 2.8.14 and 3.0.0.beta16.
21 CVE-2023-22373 79 XSS +Info 2023-01-20 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to inject an arbitrary script and obtain the sensitive information.
22 CVE-2023-22296 79 XSS 2023-01-17 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
Reflected cross-site scripting vulnerability in MAHO-PBX NetDevancer series MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allows a remote unauthenticated attacker to inject an arbitrary script.
23 CVE-2023-0519 79 XSS 2023-01-26 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.
24 CVE-2023-0513 79 XSS 2023-01-26 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability has been found in isoftforce Dreamer CMS up to 4.0.1 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.3 is able to address this issue. It is recommended to upgrade the affected component. VDB-219334 is the identifier assigned to this vulnerability.
25 CVE-2023-0488 79 XSS 2023-01-26 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42.
26 CVE-2023-0470 79 XSS 2023-01-26 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4.
27 CVE-2023-0446 79 XSS 2023-01-23 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
The My YouTube Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters in versions up to, and including, 3.0.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
28 CVE-2023-0410 79 XSS 2023-01-20 2023-01-26
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5.
29 CVE-2023-0338 79 XSS 2023-01-17 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Reflected in GitHub repository lirantal/daloradius prior to master-branch.
30 CVE-2023-0337 79 XSS 2023-01-17 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Reflected in GitHub repository lirantal/daloradius prior to master-branch.
31 CVE-2023-0327 79 XSS 2023-01-16 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability was found in saemorris TheRadSystem. It has been classified as problematic. Affected is an unknown function of the file users.php. The manipulation of the argument q leads to cross site scripting. It is possible to launch the attack remotely. VDB-218454 is the identifier assigned to this vulnerability.
32 CVE-2023-0323 79 XSS 2023-01-16 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.14.
33 CVE-2023-0314 79 XSS 2023-01-15 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
34 CVE-2023-0313 79 XSS 2023-01-15 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
35 CVE-2023-0312 79 XSS 2023-01-15 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
36 CVE-2023-0310 79 XSS 2023-01-15 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
37 CVE-2023-0309 79 XSS 2023-01-15 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
38 CVE-2023-0308 79 XSS 2023-01-15 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
39 CVE-2023-0306 79 XSS 2023-01-15 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.
40 CVE-2023-0301 79 XSS 2023-01-14 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository alfio-event/alf.io prior to Alf.io 2.0-M4-2301.
41 CVE-2023-0300 79 XSS 2023-01-14 2023-01-24
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Reflected in GitHub repository alfio-event/alf.io prior to 2.0-M4-2301.
42 CVE-2023-0295 79 XSS 2023-01-13 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
The Launchpad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of its settings parameters in versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
43 CVE-2023-0289 79 XSS 2023-01-13 2023-01-20
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository craigk5n/webcalendar prior to master.
44 CVE-2023-0287 79 XSS 2023-01-13 2023-01-23
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability was found in ityouknow favorites-web. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Comment Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-218294 is the identifier assigned to this vulnerability.
45 CVE-2023-0258 79 XSS 2023-01-12 2023-01-20
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Category List Handler. The manipulation of the argument Reason with the input "><script>prompt(1)</script> leads to cross site scripting. The attack may be launched remotely. VDB-218186 is the identifier assigned to this vulnerability.
46 CVE-2023-0246 79 XSS 2023-01-12 2023-01-20
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability, which was classified as problematic, was found in earclink ESPCMS P8.21120101. Affected is an unknown function of the component Content Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-218154 is the identifier assigned to this vulnerability.
47 CVE-2023-0214 79 XSS 2023-01-18 2023-01-25
0.0
None ??? ??? ??? ??? ??? ???
A cross-site scripting vulnerability in Skyhigh SWG in main releases 11.x prior to 11.2.6, 10.x prior to 10.2.17, and controlled release 12.x prior to 12.0.1 allows a remote attacker to craft SWG-specific internal requests with URL paths to any third-party website, causing arbitrary content to be injected into the response when accessed through SWG.
48 CVE-2023-0162 79 XSS 2023-01-10 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
The CPO Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of its content type settings parameters in versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
49 CVE-2023-0125 79 XSS 2023-01-09 2023-01-13
0.0
None ??? ??? ??? ??? ??? ???
A vulnerability was found in Control iD Panel. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Web Interface. The manipulation of the argument Nome leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-217717 was assigned to this vulnerability.
50 CVE-2023-0112 79 XSS 2023-01-07 2023-01-12
0.0
None ??? ??? ??? ??? ??? ???
Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0.
Total number of vulnerabilities : 20918   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.