CVE Database

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in udidol Add Chat App Button add-whatsapp-button allows Stored XSS.This issue affects Add Chat App Button: from n/a through <= 2.1.5.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webcodingplace Ultimate Classified Listings ultimate-classified-listings allows Stored XSS.This issue affects Ultimate Classified Listings: from n/a through <= 1.7.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SolverWp Elementor Portfolio Builder portfolio-builder-elementor allows DOM-Based XSS.This issue affects Elementor Portfolio Builder: from n/a through <= 1.0.0.

Cross-Site Request Forgery (CSRF) vulnerability in Astoundify Jobify jobify allows Cross Site Request Forgery.This issue affects Jobify: from n/a through < 4.3.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Jobify jobify allows Stored XSS.This issue affects Jobify: from n/a through < 4.3.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in James Hunt What Would Seth Godin Do what-would-seth-godin-do allows Stored XSS.This issue affects What Would Seth Godin Do: from n/a through <= 2.1.1.

In Bluetooth firmware, there is a possible firmware asssert due to improper handling of exceptional conditions. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09001270; Issue ID: MSV-1600.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Berg Informatik Stripe Donation bin-stripe-donation allows Stored XSS.This issue affects Stripe Donation: from n/a through <= 1.2.5.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Plugin Devs Post Carousel Slider for Elementor post-carousel-slider-for-elementor allows Stored XSS.This issue affects Post Carousel Slider for Elementor: from n/a through <= 1.5.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry L. WP Mermaid wp-mermaid allows Stored XSS.This issue affects WP Mermaid: from n/a through <= 1.0.2.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nutttaro Video Player for WPBakery video-player-for-wpbakery allows Stored XSS.This issue affects Video Player for WPBakery: from n/a through <= 1.0.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FlickDevs Elementor Button Plus fd-elementor-button-plus allows Stored XSS.This issue affects Elementor Button Plus: from n/a through <= 1.3.9.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 코스모스팜 &#8211; Cosmosfarm 소셜 공유 버튼 By 코스모스팜 cosmosfarm-share-buttons allows Stored XSS.This issue affects 소셜 공유 버튼 By 코스모스팜: from n/a through <= 1.9.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SkyBootstrap Elementor Image Gallery Plugin skyboot-portfolio-gallery allows Stored XSS.This issue affects Elementor Image Gallery Plugin: from n/a through <= 1.0.5.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aezaz Shaikh Countdown Timer for Elementor countdown-timer-for-elementor allows Stored XSS.This issue affects Countdown Timer for Elementor: from n/a through <= 1.3.6.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codeless Cowidgets – Elementor Addons cowidgets-elementor-addons allows Stored XSS.This issue affects Cowidgets – Elementor Addons: from n/a through <= 1.2.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jakub Glos Sparkle Elementor Kit sparkle-elementor-kit allows DOM-Based XSS.This issue affects Sparkle Elementor Kit: from n/a through <= 2.0.9.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pracapl Znajdź Pracę z Praca.pl znajdz-prace-z-pracapl allows DOM-Based XSS.This issue affects Znajdź Pracę z Praca.pl: from n/a through <= 2.2.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Mail Picker mail-picker allows DOM-Based XSS.This issue affects Mail Picker: from n/a through <= 1.0.15.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sergiomico SimpleSchema simpleschema-free allows DOM-Based XSS.This issue affects SimpleSchema: from n/a through <= 1.7.6.9.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pixobe Pixobe Cartography pixobe-cartography allows DOM-Based XSS.This issue affects Pixobe Cartography: from n/a through <= 1.0.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devnex Devnex Addons For Elementor devnex-addons-for-elementor allows DOM-Based XSS.This issue affects Devnex Addons For Elementor: from n/a through <= 1.0.9.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SoftHopper Softtemplates For Elementor softtemplates-for-elementor allows DOM-Based XSS.This issue affects Softtemplates For Elementor: from n/a through <= 1.0.8.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rejuan Ahamed Best Addons for Elementor best-addons-for-elementor allows Stored XSS.This issue affects Best Addons for Elementor: from n/a through <= 1.0.5.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Capitalize My Title Capitalize My Title capitalize-my-title allows Stored XSS.This issue affects Capitalize My Title: from n/a through <= 0.5.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry L. WP MathJax wp-mathjax-plus allows Stored XSS.This issue affects WP MathJax: from n/a through <= 1.0.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SocialEvolution WP Find Your Nearest wp-find-your-nearest allows Stored XSS.This issue affects WP Find Your Nearest: from n/a through <= 0.3.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aftab Husain Vertical Carousel vertical-carousel-slider allows Stored XSS.This issue affects Vertical Carousel: from n/a through <= 1.0.2.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in portfoliohub WordPress Portfolio Builder – Portfolio Gallery uber-grid allows Stored XSS.This issue affects WordPress Portfolio Builder – Portfolio Gallery: from n/a through <= 1.1.7.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Random Banner random-banner allows Stored XSS.This issue affects Random Banner: from n/a through <= 4.2.12.

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ideinteractive Content Audit Exporter content-audit-exporter allows Retrieve Embedded Sensitive Data.This issue affects Content Audit Exporter: from n/a through <= 1.1.

Server-Side Request Forgery (SSRF) vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster wp-asset-clean-up allows Server Side Request Forgery.This issue affects Asset CleanUp: Page Speed Booster: from n/a through <= 1.3.9.8.

stalld through 1.19.7 allows local users to cause a denial of service (file overwrite) via a /tmp/rtthrottle symlink attack.

The Backstage Scaffolder plugin Houses types and utilities for building scaffolder-related modules. A vulnerability is identified in Backstage Scaffolder template functionality where Server-Side Template Injection (SSTI) can be exploited to perform Git config injection. The vulnerability allows an attacker to capture privileged git tokens used by the Backstage Scaffolder plugin. With these tokens, unauthorized access to sensitive resources in git can be achieved. The impact is considered medium severity as the Backstage Threat Model recommends restricting access to adding and editing templates in the Backstage Catalog plugin. The issue has been resolved in versions `v0.4.12`, `v0.5.1` and `v0.6.1` of the `@backstage/plugin-scaffolder-node` package. Users are encouraged to upgrade to this version to mitigate the vulnerability. Users are advised to upgrade. Users unable to upgrade may ensure that templates do not change git config.

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source. This issue has been addressed in versions 2.11.14 and 3.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construct_copy_div function in copy_and_paste.js.

FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavformat library which allows for an integer overflow, potentially resulting in a denial-of-service (DoS) condition.

WithSecure Elements Agent for Mac before 24.3, MDR before 24.3, and Elements Client Security for Mac before 16.10 allow a remote Denial of Service.

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_emoji_with_text function in ui_util.ts.

A Cross-Site Scripting (XSS) vulnerability in SurgeMail v78c2 could allow an attacker to execute arbitrary JavaScript code via an elaborate payload injected into vulnerable parameters.

Cross-site request forgery (CSRF) vulnerability in NEC Corporation UNIVERGE IX from Ver9.2 to Ver10.10.21, for Ver10.8 up to Ver10.8.27 and for Ver10.9 up to Ver10.9.14 allows a attacker to hijack the authentication of screens on the device via the management interface.

pyspider through 0.3.10 allows /update XSS. NOTE: This vulnerability only affects products that are no longer supported by the maintainer

MSA FieldServer Gateway 5.0.0 through 6.5.2 allows cross-origin WebSocket hijacking.

Backdrop CMS before 1.28.4 and 1.29.x before 1.29.2 allows XSS via an SVG document, if the SVG tag is allowed for a text format.

A vulnerability, which was classified as critical, has been found in code-projects Responsive Hotel Site 1.0. Affected by this issue is some unknown functionality of the file /admin/room.php. The manipulation of the argument troom leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fintelligence Fintelligence Calculator fintelligence-calculator allows Stored XSS.This issue affects Fintelligence Calculator: from n/a through <= 1.0.3.

A low privileged remote attacker can insert a SQL injection in the web application due to improper handling of HTTP request input data which allows to exfiltrate all data.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster wp-mailster allows Stored XSS.This issue affects WP Mailster: from n/a through <= 1.8.16.0.

Missing sanitation of inputs allowed arbitrary users to conduct a stored XSS attack that triggers for users that view a certain project

The uyuni-server-attestation systemd service needs a database_password environment variable. This file has 640 permission, and cannot be shown users, but the environment is still exposed by systemd to non-privileged users.