Filtered by CWE-79
Filtered by vendor Subscriptions
Total 31608 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-7092 2024-08-13 6.4 Medium
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘no_more_items_text’ parameter in all versions up to, and including, 5.9.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-7247 2024-08-13 6.4 Medium
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Custom Gallery and Countdown widgets in all versions up to, and including, 5.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-41910 1 Hp 2 Poly Clariti Manager, Poly Clariti Manager Firmware 2024-08-13 6.1 Medium
A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The firmware contained multiple XSS vulnerabilities in the version of JavaScript used.
CVE-2024-40482 1 Kashipara 1 Live Membership System 2024-08-13 9.8 Critical
An Unrestricted file upload vulnerability was found in "/Membership/edit_member.php" of Kashipara Live Membership System v1.0, which allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2024-41677 2 Qwik, Qwikdev 2 Qwik, Qwik 2024-08-12 6.3 Medium
Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). This has been resolved in qwik version 1.6.0 and @builder.io/qwik version 1.7.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-28739 1 Koha 1 Koha 2024-08-12 9.6 Critical
An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parameter.
CVE-2024-7285 2 Oretnom23, Sourcecodester 2 Establishment Billing Management System, Establishment Billing Management System 2024-08-12 3.5 Low
A vulnerability has been found in SourceCodester Establishment Billing Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/ajax.php?action=save_settings. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273154 is the identifier assigned to this vulnerability.
CVE-2024-7321 2 Adonesevangelista, Itsourcecode 2 Online Blood Bank Management System, Online Blood Bank Management System 2024-08-12 4.3 Medium
A vulnerability classified as problematic was found in itsourcecode Online Blood Bank Management System 1.0. This vulnerability affects unknown code of the file signup.php of the component User Registration Handler. The manipulation of the argument user leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-273232.
CVE-2024-7303 2 Adonesevangelista, Itsourcecode 2 Online Blood Bank Management System, Online Blood Bank Management System 2024-08-12 3.5 Low
A vulnerability was found in itsourcecode Online Blood Bank Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /request.php of the component Send Blood Request Page. The manipulation of the argument Address/bloodgroup leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273185 was assigned to this vulnerability.
CVE-2023-40819 2 Devlop.systems, Id4software 2 Id4portais, Id4portais 2024-08-12 6.1 Medium
ID4Portais in version < V.2022.837.002a returns message parameter unsanitized in the response, resulting in a HTML Injection vulnerability.
CVE-2024-6639 1 Axtonyao 1 Mdx 2024-08-12 6.4 Medium
The MDx theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdx_list_item' shortcode in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-6692 2024-08-12 3.3 Low
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2024-41476 1 Amttgroup 1 Hotel Broadband Operation System 2024-08-12 9.8 Critical
AMTT Hotel Broadband Operation System (HiBOS) V3.0.3.151204 and before is vulnerable to SQL Injection via /manager/card/card_detail.php.
CVE-2024-6691 2024-08-12 4.4 Medium
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2024-7649 2024-08-12 6.1 Medium
The Opal Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via checkout form fields in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-4360 2024-08-12 6.4 Medium
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 5.7.2 due to insufficient input sanitization and output escaping on user supplied attributes like 'title_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-7359 2 Oretnom23, Sourcecodester 2 Tracking Monitoring Management System, Tracking Monitoring Management System 2024-08-09 3.5 Low
A vulnerability was found in SourceCodester Tracking Monitoring Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_establishment. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-273338 is the identifier assigned to this vulnerability.
CVE-2024-41239 2 Kashipara, Lopalopa 2 Responsive School Management System, Responsive School Management System 2024-08-08 5.9 Medium
A Stored Cross Site Scripting (XSS) vulnerability was found in "/smsa/add_class_submit.php" in Responsive School Management System v3.2.0, which allows remote attackers to execute arbitrary code via "class_name" parameter field.
CVE-2024-41242 2 Kashipara, Lopalopa 2 Responsive School Management System, Responsive School Management System 2024-08-08 5.5 Medium
A Reflected Cross Site Scripting (XSS) vulnerability was found in /smsa/student_login.php in Kashipara Responsive School Management System v3.2.0, which allows remote attackers to execute arbitrary code via "error" parameter.
CVE-2024-41333 1 Phpgurukul 1 Tourism Management System 2024-08-08 6.1 Medium
A reflected cross-site scripting (XSS) vulnerability in Phpgurukul Tourism Management System v2.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the uname parameter.