MDaemon SecurityGateway through 9.0.3 allows XSS via a crafted Message Content Filtering rule. This might allow domain administrators to conduct attacks against global administrators.
Max CVSS
4.8
EPSS Score
0.05%
Published
2023-12-31
Updated
2024-01-05
IDURAR (aka idurar-erp-crm) through 2.0.1 allows stored XSS via a PATCH request with a crafted JSON email template in the /api/email/update data.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-12-30
Updated
2024-01-11
The beesblog (aka Bees Blog) component before 1.6.2 for thirty bees allows Reflected XSS because controllers/front/post.php sharing_url is mishandled.
Max CVSS
6.1
EPSS Score
0.05%
Published
2023-12-30
Updated
2024-01-05
LogoBee 0.2 allows updates.php?id= XSS.
Max CVSS
6.1
EPSS Score
0.05%
Published
2023-12-30
Updated
2024-01-05
The Kantega SAML SSO OIDC Kerberos Single Sign-on apps before 6.20.0 for Atlassian products allow XSS if SAML POST Binding is enabled. This affects 4.4.2 through 4.14.8 before 4.14.9, 5.0.0 through 5.11.4 before 5.11.5, and 6.0.0 through 6.19.0 before 6.20.0. The full product names are Kantega SAML SSO OIDC Kerberos Single Sign-on for Jira Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Confluence Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Bitbucket Data Center & Server (Kantega SSO Enterprise), Kantega SAML SSO OIDC Kerberos Single Sign-on for Bamboo Data Center & Server (Kantega SSO Enterprise), and Kantega SAML SSO OIDC Kerberos Single Sign-on for FeCru Server (Kantega SSO Enterprise). (Here, FeCru refers to the Atlassian Fisheye and Crucible products running together.)
Max CVSS
6.1
EPSS Score
0.06%
Published
2023-12-29
Updated
2024-01-08
Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-12-28
Updated
2024-01-05
Winter is a free, open-source content management system. Prior to 1.2.4, users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. This issue has been patched in v1.2.4.
Max CVSS
4.8
EPSS Score
0.05%
Published
2023-12-28
Updated
2024-01-05
An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights.
Max CVSS
6.1
EPSS Score
0.05%
Published
2023-12-22
Updated
2023-12-29
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Urošević Stock Ticker allows Stored XSS.This issue affects Stock Ticker: from n/a through 3.23.4.
Max CVSS
6.5
EPSS Score
0.05%
Published
2023-12-29
Updated
2024-02-29
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Undsgn Uncode - Creative & WooCommerce WordPress Theme allows Reflected XSS.This issue affects Uncode - Creative & WooCommerce WordPress Theme: from n/a through 2.8.6.
Max CVSS
7.1
EPSS Score
0.05%
Published
2023-12-28
Updated
2024-01-04
Adobe Experience Manager versions 6.5.18 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-12-20
Updated
2023-12-26
Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-12-20
Updated
2023-12-26
Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-12-20
Updated
2023-12-27
Adobe Experience Manager versions 6.5.18 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-12-20
Updated
2023-12-27
Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-12-20
Updated
2023-12-28
Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
Max CVSS
5.4
EPSS Score
0.05%
Published
2023-12-20
Updated
2023-12-28
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Back Button Widget allows Stored XSS.This issue affects Back Button Widget: from n/a through 1.6.3.
Max CVSS
6.5
EPSS Score
0.05%
Published
2023-12-29
Updated
2024-01-05
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force WP Remote Site Search allows Stored XSS.This issue affects WP Remote Site Search: from n/a through 1.0.4.
Max CVSS
6.5
EPSS Score
0.05%
Published
2023-12-29
Updated
2024-01-05
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brizy.Io Brizy – Page Builder allows Stored XSS.This issue affects Brizy – Page Builder: from n/a through 2.4.29.
Max CVSS
6.5
EPSS Score
0.05%
Published
2023-12-29
Updated
2024-01-05
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZeroBounce ZeroBounce Email Verification & Validation allows Stored XSS.This issue affects ZeroBounce Email Verification & Validation: from n/a through 1.0.11.
Max CVSS
5.9
EPSS Score
0.05%
Published
2023-12-29
Updated
2024-01-05
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ian Kennerley Google Photos Gallery with Shortcodes allows Reflected XSS.This issue affects Google Photos Gallery with Shortcodes: from n/a through 4.0.2.
Max CVSS
7.1
EPSS Score
0.05%
Published
2023-12-29
Updated
2024-01-05
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes HashBar – WordPress Notification Bar allows Stored XSS.This issue affects HashBar – WordPress Notification Bar: from n/a through 1.4.1.
Max CVSS
5.9
EPSS Score
0.05%
Published
2023-12-29
Updated
2024-01-05
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bit Assist Chat Widget: WhatsApp Chat, Facebook Messenger Chat, Telegram Chat Bubble, Line Messenger, Live Chat Support Chat Button, WeChat, SMS, Call Button, Customer Support Button with floating Chat Widget allows Stored XSS.This issue affects Chat Widget: WhatsApp Chat, Facebook Messenger Chat, Telegram Chat Bubble, Line Messenger, Live Chat Support Chat Button, WeChat, SMS, Call Button, Customer Support Button with floating Chat Widget: from n/a through 1.1.9.
Max CVSS
5.9
EPSS Score
0.05%
Published
2023-12-29
Updated
2024-01-05
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ginger Plugins Sticky Chat Widget: Click to chat, SMS, Email, Messages, Call Button, Live Chat and Live Support Button allows Stored XSS.This issue affects Sticky Chat Widget: Click to chat, SMS, Email, Messages, Call Button, Live Chat and Live Support Button: from n/a through 1.1.8.
Max CVSS
5.9
EPSS Score
0.05%
Published
2023-12-29
Updated
2024-01-05
Englesystem is a shift planning system for chaos events. Engelsystem prior to v3.4.1 performed insufficient validation of user supplied data for the DECT number, mobile number, and work-log comment fields. The values of those fields would be displayed in corresponding log overviews, allowing the injection and execution of Javascript code in another user's context. This vulnerability enables an authenticated user to inject Javascript into other user's sessions. The injected JS will be executed during normal usage of the system when viewing, e.g., overview pages. This issue has been fixed in version 3.4.1.
Max CVSS
7.3
EPSS Score
0.05%
Published
2023-12-22
Updated
2024-01-05
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!