CVE-2024-45262

GL-iNet devices affected (MT6000, MT3000, MT2500, AXT1800, AX1800) on version 4.6.2 have a vulnerability in the /rpc call where the params parameter allows arbitrary directory traversal, enabling script execution under arbitrary paths. Affected components: the /rpc endpoint’s params parameter. Im...

CVE-2024-30160

A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting XSS attack due to insufficient validation of user input. A successful exploit could allow ...

CVE-2024-35314

A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance MiVB SVI 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user...

CVE-2024-30159

A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting XSS attack due to insufficient validation of user input. A successful exploit could allow an attacker...

CVE-2024-35314

A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance MiVB SVI 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user...

CVE-2024-30160

A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting XSS attack due to insufficient validation of user input. A successful exploit could allow ...

CVE-2024-35314

A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance MiVB SVI 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user...

PT-2024-39918 · WordPress · Add Widget After Content

Name of the Vulnerable Software and Affected Versions: Add Widget After Content plugin for WordPress versions up to, and including, 2.4.6 Description: The issue is related to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This allows...

U.S. Dept Of Defense: [ CVE-2018-1000129 ] RXSS At `https://███████` via the URI

The CVE-2018-1000129 vulnerability allowed remote cross-site scripting RXSS at the specified URL. The vulnerability was due to improper sanitization of user input, which enabled the execution of arbitrary scripts in the victim's browser...

CVE-2024-9232

The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to...

CVE-2024-8499

The Checkout Field Editor Checkout Manager for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘renderreviewrequestnotice’ function in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possib...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the calendar event addition feature. An attacker can inject and execute arbitrary scripts by embedding malicious content into the calendar event name, which is not properly sanitized on output. Details...

CVE-2024-7846

YITH WooCommerce Ajax Search is vulnerable to a XSS vulnerability due to insufficient sanitization of user supplied block attributes. This makes it possible for Contributors+ attackers to inject arbitrary scripts...

CVE-2024-45366

Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user's web browser...

CVE-2024-8907

Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML XSS via a crafted set of UI gestures. Chromium security severity: Medium...

CVE-2024-8907

Insufficient data validation in Omnibox in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to inject arbitrary scripts or HTML XSS via a crafted set of UI gestures. Chromium security severity: Medium...

CVE-2024-8797 WP Booking System – Booking Calendar <= 2.0.19.8 - Reflected Cross-Site Scripting

The WP Booking System – Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg & removequeryarg without appropriate escaping on the URL in all versions up to, and including, 2.0.19.8. This makes it possible for unauthenticated attackers...

Cross Site Scripting(XSS)

github.com/gouniverse/cms is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to improper handling of the argument alias in the PageRenderHtmlByAlias function of FrontendHandler.go. It allows an attacker to execute arbitrary scripts in the context of a user's browser...

CVE-2024-7611

The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' attribute of the Events Card widget in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-44717

A cross-site scripting XSS vulnerability in DedeBIZ v6.3.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...