# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2023-23687 |
79 |
|
XSS |
2023-01-23 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Auth. Stored Cross-Site Scripting (XSS) vulnerability in Youtube shortcode <= 1.8.5 versions. |
2 |
CVE-2023-23637 |
79 |
|
XSS |
2023-01-17 |
2023-01-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
IMPatienT before 1.5.2 allows stored XSS via onmouseover in certain text fields within a PATCH /modify_onto request to the ontology builder. This may allow attackers to steal Protected Health Information. |
3 |
CVE-2023-23491 |
79 |
|
XSS |
2023-01-20 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
The Quick Event Manager WordPress Plugin, version < 9.7.5, is affected by a reflected cross-site scripting vulnerability in the 'category' parameter of its 'qem_ajax_calendar' action. |
4 |
CVE-2023-23024 |
79 |
|
XSS |
2023-01-20 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/book. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the writer parameter. |
5 |
CVE-2023-23015 |
79 |
|
XSS |
2023-01-20 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross Site Scripting (XSS) vulnerability in Kalkun 0.8.0 via username input in file User_model.php. |
6 |
CVE-2023-22911 |
79 |
|
XSS |
2023-01-10 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. E-Widgets does widget replacement in HTML attributes, which can lead to XSS, because widget authors often do not expect that their widget is executed in an HTML attribute context. |
7 |
CVE-2023-22910 |
79 |
|
XSS |
2023-01-20 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision-* fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs capability. |
8 |
CVE-2023-22725 |
79 |
|
XSS |
2023-01-26 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
GLPI is a Free Asset and IT Management Software package. Versions 0.6.0 and above, prior to 10.0.6 are vulnerable to Cross-site Scripting. This vulnerability allow for an administrator to create a malicious external link. This issue is patched in 10.0.6. |
9 |
CVE-2023-22724 |
79 |
|
XSS |
2023-01-26 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
GLPI is a Free Asset and IT Management Software package. Versions prior to 10.0.6 are subject to Cross-site Scripting via malicious RSS feeds. An Administrator can import a malicious RSS feed that contains Cross Site Scripting (XSS) payloads inside RSS links. Victims who wish to visit an RSS content and click on the link will execute the Javascript. This issue is patched in 10.0.6. |
10 |
CVE-2023-22722 |
79 |
|
XSS |
2023-01-26 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
GLPI is a Free Asset and IT Management Software package. Versions 9.4.0 and above, prior to 10.0.6 are subject to Cross-site Scripting. An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies. This issue is patched in version 10.0.6. |
11 |
CVE-2023-22721 |
79 |
|
XSS |
2023-01-23 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Auth. Stored Cross-Site Scripting (XSS) in Oi Yandex.Maps for WordPress <= 3.2.7 versions. |
12 |
CVE-2023-22594 |
79 |
|
XSS |
2023-01-18 |
2023-01-18 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
IBM Robotic Process Automation for Cloud Pak 20.12.0 through 21.0.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 244075. |
13 |
CVE-2023-22491 |
79 |
|
XSS |
2023-01-13 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Gatsby is a free and open source framework based on React that helps developers build websites and apps. The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present in gatsby-transformer-remark when passing input in data mode (querying MarkdownRemark nodes via GraphQL). Injected JavaScript executes in the context of the build server. To exploit this vulnerability untrusted/unsanitized input would need to be sourced by or added into a file processed by gatsby-transformer-remark. A patch has been introduced in `[email protected]` and `[email protected]` which mitigates the issue by disabling the `gray-matter` JavaScript Frontmatter engine. As a workaround, if an older version of `gatsby-transformer-remark` must be used, input passed into the plugin should be sanitized ahead of processing. It is encouraged for projects to upgrade to the latest major release branch for all Gatsby plugins to ensure the latest security updates and bug fixes are received in a timely manner. |
14 |
CVE-2023-22475 |
79 |
|
XSS |
2023-01-06 |
2023-01-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Canarytokens is an open source tool which helps track activity and actions on your network. A Cross-Site Scripting vulnerability was identified in the history page of triggered Canarytokens prior to sha-fb61290. An attacker who discovers an HTTP-based Canarytoken (a URL) can use this to execute Javascript in the Canarytoken's trigger history page (domain: canarytokens.org) when the history page is later visited by the Canarytoken's creator. This vulnerability could be used to disable or delete the affected Canarytoken, or view its activation history. It might also be used as a stepping stone towards revealing more information about the Canarytoken's creator to the attacker. For example, an attacker could recover the email address tied to the Canarytoken, or place Javascript on the history page that redirect the creator towards an attacker-controlled Canarytoken to show the creator's network location. This vulnerability is similar to CVE-2022-31113, but affected parameters reported differently from the Canarytoken trigger request. An attacker could only act on the discovered Canarytoken. This issue did not expose other Canarytokens or other Canarytoken creators. Canarytokens Docker images sha-fb61290 and later contain a patch for this issue. |
15 |
CVE-2023-22468 |
79 |
|
XSS |
2023-01-26 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Discourse is an open source platform for community discussion. Versions prior to 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed), are vulnerable to cross-site Scripting. A maliciously crafted URL can be included in a post to carry out cross-site scripting attacks on sites with disabled or overly permissive CSP (Content Security Policy). Discourse's default CSP prevents this vulnerability. This vulnerability is patched in versions 2.8.13 (stable), 3.0.0.beta16 (beta) and 3.0.0beta16 (tests-passed). As a workaround, enable and/or restore your site's CSP to the default one provided with Discourse. |
16 |
CVE-2023-22464 |
79 |
|
XSS |
2023-01-04 |
2023-01-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format "html"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else "copyfrom path" names will be doubly escaped.) |
17 |
CVE-2023-22461 |
79 |
|
XSS |
2023-01-04 |
2023-01-10 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
The `sanitize-svg` package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal `<script>`-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workarounds |
18 |
CVE-2023-22456 |
79 |
|
XSS |
2023-01-03 |
2023-01-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
ViewVC, a browser interface for CVS and Subversion version control repositories, as a cross-site scripting vulnerability that affects versions prior to 1.2.2 and 1.1.29. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.2 (if they are using a 1.2.x version of ViewVC) or 1.1.29 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement a workaround. Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.path]` will become `[format "html"][changes.path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else changed path names will be doubly escaped.) |
19 |
CVE-2023-22455 |
79 |
|
XSS |
2023-01-05 |
2023-01-11 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, tag descriptions, which can be updated by moderators, can be used for cross-site scripting attacks. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. Versions 2.8.14 and 3.0.0.beta16 contain a patch. |
20 |
CVE-2023-22454 |
79 |
|
XSS |
2023-01-05 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, pending post titles can be used for cross-site scripting attacks. Pending posts can be created by unprivileged users when a category has the "require moderator approval of all new topics" setting set. This vulnerability can lead to a full XSS on sites which have modified or disabled Discourse’s default Content Security Policy. A patch is available in versions 2.8.14 and 3.0.0.beta16. |
21 |
CVE-2023-22373 |
79 |
|
XSS +Info |
2023-01-20 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site scripting vulnerability in CONPROSYS HMI System (CHS) Ver.3.4.5 and earlier allows a remote authenticated attacker to inject an arbitrary script and obtain the sensitive information. |
22 |
CVE-2023-22296 |
79 |
|
XSS |
2023-01-17 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Reflected cross-site scripting vulnerability in MAHO-PBX NetDevancer series MAHO-PBX NetDevancer Lite/Uni/Pro/Cloud prior to Ver.1.11.00, MAHO-PBX NetDevancer VSG Lite/Uni prior to Ver.1.11.00, and MAHO-PBX NetDevancer MobileGate Home/Office prior to Ver.1.11.00 allows a remote unauthenticated attacker to inject an arbitrary script. |
23 |
CVE-2023-0519 |
79 |
|
XSS |
2023-01-26 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4. |
24 |
CVE-2023-0513 |
79 |
|
XSS |
2023-01-26 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A vulnerability has been found in isoftforce Dreamer CMS up to 4.0.1 and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.3 is able to address this issue. It is recommended to upgrade the affected component. VDB-219334 is the identifier assigned to this vulnerability. |
25 |
CVE-2023-0488 |
79 |
|
XSS |
2023-01-26 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository pyload/pyload prior to 0.5.0b3.dev42. |
26 |
CVE-2023-0470 |
79 |
|
XSS |
2023-01-26 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/modoboa prior to 2.0.4. |
27 |
CVE-2023-0446 |
79 |
|
XSS |
2023-01-23 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
The My YouTube Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its settings parameters in versions up to, and including, 3.0.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
28 |
CVE-2023-0410 |
79 |
|
XSS |
2023-01-20 |
2023-01-26 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qwik prior to 0.1.0-beta5. |
29 |
CVE-2023-0338 |
79 |
|
XSS |
2023-01-17 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Reflected in GitHub repository lirantal/daloradius prior to master-branch. |
30 |
CVE-2023-0337 |
79 |
|
XSS |
2023-01-17 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Reflected in GitHub repository lirantal/daloradius prior to master-branch. |
31 |
CVE-2023-0327 |
79 |
|
XSS |
2023-01-16 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A vulnerability was found in saemorris TheRadSystem. It has been classified as problematic. Affected is an unknown function of the file users.php. The manipulation of the argument q leads to cross site scripting. It is possible to launch the attack remotely. VDB-218454 is the identifier assigned to this vulnerability. |
32 |
CVE-2023-0323 |
79 |
|
XSS |
2023-01-16 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.14. |
33 |
CVE-2023-0314 |
79 |
|
XSS |
2023-01-15 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
34 |
CVE-2023-0313 |
79 |
|
XSS |
2023-01-15 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
35 |
CVE-2023-0312 |
79 |
|
XSS |
2023-01-15 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
36 |
CVE-2023-0310 |
79 |
|
XSS |
2023-01-15 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
37 |
CVE-2023-0309 |
79 |
|
XSS |
2023-01-15 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
38 |
CVE-2023-0308 |
79 |
|
XSS |
2023-01-15 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
39 |
CVE-2023-0306 |
79 |
|
XSS |
2023-01-15 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10. |
40 |
CVE-2023-0301 |
79 |
|
XSS |
2023-01-14 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository alfio-event/alf.io prior to Alf.io 2.0-M4-2301. |
41 |
CVE-2023-0300 |
79 |
|
XSS |
2023-01-14 |
2023-01-24 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Reflected in GitHub repository alfio-event/alf.io prior to 2.0-M4-2301. |
42 |
CVE-2023-0295 |
79 |
|
XSS |
2023-01-13 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
The Launchpad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of its settings parameters in versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. |
43 |
CVE-2023-0289 |
79 |
|
XSS |
2023-01-13 |
2023-01-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository craigk5n/webcalendar prior to master. |
44 |
CVE-2023-0287 |
79 |
|
XSS |
2023-01-13 |
2023-01-23 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A vulnerability was found in ityouknow favorites-web. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Comment Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-218294 is the identifier assigned to this vulnerability. |
45 |
CVE-2023-0258 |
79 |
|
XSS |
2023-01-12 |
2023-01-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A vulnerability was found in SourceCodester Online Food Ordering System 2.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Category List Handler. The manipulation of the argument Reason with the input "><script>prompt(1)</script> leads to cross site scripting. The attack may be launched remotely. VDB-218186 is the identifier assigned to this vulnerability. |
46 |
CVE-2023-0246 |
79 |
|
XSS |
2023-01-12 |
2023-01-20 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A vulnerability, which was classified as problematic, was found in earclink ESPCMS P8.21120101. Affected is an unknown function of the component Content Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-218154 is the identifier assigned to this vulnerability. |
47 |
CVE-2023-0214 |
79 |
|
XSS |
2023-01-18 |
2023-01-25 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A cross-site scripting vulnerability in Skyhigh SWG in main releases 11.x prior to 11.2.6, 10.x prior to 10.2.17, and controlled release 12.x prior to 12.0.1 allows a remote attacker to craft SWG-specific internal requests with URL paths to any third-party website, causing arbitrary content to be injected into the response when accessed through SWG. |
48 |
CVE-2023-0162 |
79 |
|
XSS |
2023-01-10 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
The CPO Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of its content type settings parameters in versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
49 |
CVE-2023-0125 |
79 |
|
XSS |
2023-01-09 |
2023-01-13 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
A vulnerability was found in Control iD Panel. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Web Interface. The manipulation of the argument Nome leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-217717 was assigned to this vulnerability. |
50 |
CVE-2023-0112 |
79 |
|
XSS |
2023-01-07 |
2023-01-12 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.10.0. |