Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-21494

Summary
Assigner-snyk
Assigner Org ID-bae035ff-b466-4ff4-94d0-fc9efd9e1730
Published At-17 Feb, 2024 | 05:00
Updated At-24 Apr, 2025 | 15:12
Rejected At-
Credits

All versions of the package github.com/greenpau/caddy-security are vulnerable to Authentication Bypass by Spoofing via the X-Forwarded-For header due to improper input sanitization. An attacker can spoof an IP address used in the user identity module (/whoami API endpoint). This could lead to unauthorized access if the system trusts this spoofed IP address.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:snyk
Assigner Org ID:bae035ff-b466-4ff4-94d0-fc9efd9e1730
Published At:17 Feb, 2024 | 05:00
Updated At:24 Apr, 2025 | 15:12
Rejected At:
▼CVE Numbering Authority (CNA)

All versions of the package github.com/greenpau/caddy-security are vulnerable to Authentication Bypass by Spoofing via the X-Forwarded-For header due to improper input sanitization. An attacker can spoof an IP address used in the user identity module (/whoami API endpoint). This could lead to unauthorized access if the system trusts this spoofed IP address.

Affected Products
Vendor
n/a
Product
github.com/greenpau/caddy-security
Versions
Affected
  • From 0 before * (semver)
Problem Types
TypeCWE IDDescription
N/AN/AAuthentication Bypass by Spoofing
Type: N/A
CWE ID: N/A
Description: Authentication Bypass by Spoofing
Metrics
VersionBase scoreBase severityVector
3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Maciej Domanski
Travis Peters
David Pokora
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249859
N/A
https://github.com/greenpau/caddy-security/issues/266
N/A
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
N/A
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249859
Resource: N/A
Hyperlink: https://github.com/greenpau/caddy-security/issues/266
Resource: N/A
Hyperlink: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
github.com\/greenpau\/caddy-security
Product
github.com\/greenpau\/caddy-security
CPEs
  • cpe:2.3:a:github.com\/greenpau\/caddy-security:github.com\/greenpau\/caddy-security:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through * (custom)
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249859
x_transferred
https://github.com/greenpau/caddy-security/issues/266
x_transferred
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
x_transferred
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249859
Resource:
x_transferred
Hyperlink: https://github.com/greenpau/caddy-security/issues/266
Resource:
x_transferred
Hyperlink: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:report@snyk.io
Published At:17 Feb, 2024 | 05:15
Updated At:24 Apr, 2025 | 15:15

All versions of the package github.com/greenpau/caddy-security are vulnerable to Authentication Bypass by Spoofing via the X-Forwarded-For header due to improper input sanitization. An attacker can spoof an IP address used in the user identity module (/whoami API endpoint). This could lead to unauthorized access if the system trusts this spoofed IP address.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary3.15.4MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CPE Matches
greenpau
greenpau
>>caddy-security>>*
cpe:2.3:a:greenpau:caddy-security:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-290Secondaryreport@snyk.io
CWE-290Primarynvd@nist.gov
CWE-79Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-290
Type: Secondary
Source: report@snyk.io
CWE ID: CWE-290
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-79
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/report@snyk.io
Third Party Advisory
https://github.com/greenpau/caddy-security/issues/266report@snyk.io
Issue Tracking
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249859report@snyk.io
Third Party Advisory
https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://github.com/greenpau/caddy-security/issues/266af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249859af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Hyperlink: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
Source: report@snyk.io
Resource:
Third Party Advisory
Hyperlink: https://github.com/greenpau/caddy-security/issues/266
Source: report@snyk.io
Resource:
Issue Tracking
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249859
Source: report@snyk.io
Resource:
Third Party Advisory
Hyperlink: https://blog.trailofbits.com/2023/09/18/security-flaws-in-an-sso-plugin-for-caddy/
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
Hyperlink: https://github.com/greenpau/caddy-security/issues/266
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Issue Tracking
Hyperlink: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGREENPAUCADDYSECURITY-6249859
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

170Records found
CVE-2023-23548
Matching Score-4
Assigner-Checkmk GmbH
ShareView Details
Matching Score-4
Assigner-Checkmk GmbH
CVSS Score-5.4||MEDIUM
EPSS-0.43% / 62.03%
||
7 Day CHG~0.00%
Published-01 Aug, 2023 | 09:42
Updated-27 Sep, 2024 | 21:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in business intelligence

Reflected XSS in business intelligence in Checkmk <2.2.0p8, <2.1.0p32, <2.0.0p38, <=1.6.0p30.

Action-Not Available
Vendor-Checkmk GmbH
Product-checkmkCheckmk
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-32335
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.12% / 31.86%
||
7 Day CHG~0.00%
Published-18 Apr, 2024 | 00:00
Updated-03 Apr, 2025 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in Access Control under the Wireless Page.

Action-Not Available
Vendor-n/aTOTOLINK
Product-n300rtn300rt_firmwaren/an300rt_firmware
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8397
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.02% / 3.82%
||
7 Day CHG~0.00%
Published-15 May, 2025 | 20:07
Updated-12 Jun, 2025 | 15:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GDPR Cookie Consent <= 2.6.0 - Unauthenticated Stored XSS

The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious script is executed in the admin context.

Action-Not Available
Vendor-webtoffeeUnknown
Product-gdpr_cookie_consentwebtoffee-gdpr-cookie-consent
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-43396
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.08% / 25.56%
||
7 Day CHG~0.00%
Published-20 Aug, 2024 | 20:23
Updated-03 Sep, 2024 | 18:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)

Khoj is an application that creates personal AI agents. The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS. This vulnerability is fixed in 1.15.0.

Action-Not Available
Vendor-khojkhoj-ai
Product-khojkhoj
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42758
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.21% / 43.46%
||
7 Day CHG~0.00%
Published-16 Aug, 2024 | 00:00
Updated-19 Aug, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Cross-site Scripting (XSS) vulnerability exists in version v2024-01-05 of the indexmenu plugin when is used and enabled in Dokuwiki (Open Source Wiki Engine). A malicious attacker can input XSS payloads for example when creating or editing existing page, to trigger the XSS on Dokuwiki, which is then stored in .txt file (due to nature of how Dokuwiki is designed), which presents stored XSS.

Action-Not Available
Vendor-n/aandreas_gohr
Product-n/adokuwiki
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-35302
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-5.4||MEDIUM
EPSS-18.23% / 94.95%
||
7 Day CHG+2.07%
Published-16 May, 2024 | 10:32
Updated-16 Dec, 2024 | 15:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains TeamCity before 2023.11 stored XSS during restore from backup was possible

Action-Not Available
Vendor-JetBrains s.r.o.
Product-teamcityTeamCityteamcity
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-33102
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.66% / 70.30%
||
7 Day CHG~0.00%
Published-30 Apr, 2024 | 00:00
Updated-23 Apr, 2025 | 01:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability in the component /pubs/counter.php of ThinkSAAS v3.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the code parameter.

Action-Not Available
Vendor-thinksaasn/athinksaas
Product-thinksaasn/athinksaas
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-34341
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 52.76%
||
7 Day CHG+0.13%
Published-07 May, 2024 | 15:13
Updated-02 Aug, 2024 | 02:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Trix Editor Contains an Arbitrary Code Execution Vulnerability

Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.

Action-Not Available
Vendor-basecampbasecamp
Product-trixtrix
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-31857
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 35.59%
||
7 Day CHG~0.00%
Published-23 Apr, 2024 | 04:46
Updated-04 Apr, 2025 | 13:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Forminator prior to 1.15.4 contains a cross-site scripting vulnerability. If this vulnerability is exploited, a remote attacker may obtain user information etc. and alter the page contents on the user's web browser.

Action-Not Available
Vendor-Incsub, LLC
Product-forminatorForminatorforminator
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-26471
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.38% / 58.56%
||
7 Day CHG~0.00%
Published-27 Feb, 2024 | 00:00
Updated-30 Apr, 2025 | 16:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected cross-site scripting (XSS) vulnerability in zhimengzhe iBarn v1.5 allows attackers to inject malicious JavaScript into the web browser of a victim via the search parameter in offer.php.

Action-Not Available
Vendor-msaad1999n/aibarn_project
Product-klik_socialmediawebsiten/aibarn
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-33848
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 38.78%
||
7 Day CHG~0.00%
Published-21 Jan, 2022 | 18:17
Updated-16 Apr, 2025 | 16:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fresenius Kabi Agilia Connect Infusion System cross site scripting

Fresenius Kabi Vigilant Software Suite (Mastermed Dashboard) version 2.0.1.3 is vulnerable to reflected cross-site scripting attacks. An attacker could inject JavaScript in a GET parameter of HTTP requests and perform unauthorized actions such as stealing internal information and performing actions in context of an authenticated user.

Action-Not Available
Vendor-fresenius-kabiFresenius Kabi
Product-link\+_agilia_firmwareagilia_connect_firmwarevigilant_insightagilia_connectvigilant_mastermedlink\+_agiliavigilant_centeriumagilia_partner_maintenance_softwareVigilant Software Suite (Mastermed Dashboard)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-47050
Matching Score-4
Assigner-Mautic
ShareView Details
Matching Score-4
Assigner-Mautic
CVSS Score-5.4||MEDIUM
EPSS-0.20% / 41.82%
||
7 Day CHG~0.00%
Published-18 Sep, 2024 | 21:04
Updated-27 Sep, 2024 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
XSS in contact/company tracking (no authentication)

Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable.

Action-Not Available
Vendor-acquiaMautic
Product-mauticMautic
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-44818
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.09% / 26.82%
||
7 Day CHG~0.00%
Published-04 Sep, 2024 | 00:00
Updated-23 Apr, 2025 | 15:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting vulnerability in ZZCMS v.2023 and before allows a remote attacker to obtain sensitive information via the HTTP_Referer header of the caina.php component.

Action-Not Available
Vendor-zzcmsn/azzcms
Product-zzcmsn/azzcms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-8413
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 34.51%
||
7 Day CHG~0.00%
Published-04 Sep, 2024 | 10:31
Updated-05 Sep, 2024 | 17:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross Site Scripting (XSS) in Raspcontrol

Cross Site Scripting (XSS) vulnerability through the action parameter in index.php. Affected product codebase https://github.com/Bioshox/Raspcontrol and forks such as https://github.com/harmon25/raspcontrol . An attacker could exploit this vulnerability by sending a specially crafted JavaScript payload to an authenticated user and partially hijacking their session details. References list

Action-Not Available
Vendor-raspcontrol_projectRaspControl
Product-raspcontrolRaspControl
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-43437
Matching Score-4
Assigner-Fedora Project
ShareView Details
Matching Score-4
Assigner-Fedora Project
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 40.20%
||
7 Day CHG+0.01%
Published-11 Nov, 2024 | 12:19
Updated-13 Mar, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Moodle: xss risk when restoring malicious course backup file

A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files.

Action-Not Available
Vendor-
Product-
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-43439
Matching Score-4
Assigner-Fedora Project
ShareView Details
Matching Score-4
Assigner-Fedora Project
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 38.28%
||
7 Day CHG+0.01%
Published-11 Nov, 2024 | 16:00
Updated-12 Nov, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Moodle: reflected xss via h5p error message

A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk.

Action-Not Available
Vendor-Moodle Pty Ltd
Product-moodle
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4174
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
ShareView Details
Matching Score-4
Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 36.80%
||
7 Day CHG~0.00%
Published-25 Apr, 2024 | 11:44
Updated-01 Aug, 2024 | 20:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross-Site Scripting (XSS) vulnerability in Hyperion Web Server

Cross-Site Scripting (XSS) vulnerability in Hyperion Web Server affecting version 2.0.15. This vulnerability could allow an attacker to execute malicious Javascript code on the client by injecting that code into the URL.

Action-Not Available
Vendor-Hyperionhyperion
Product-Hyperion Web Serverhyperion_web_server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-24685
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.14% / 34.31%
||
7 Day CHG~0.00%
Published-01 Nov, 2021 | 08:46
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flat Preloader < 1.5.4 - CSRF to Stored Cross-Site Scripting

The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)

Action-Not Available
Vendor-flat_preloader_projectUnknown
Product-flat_preloaderFlat Preloader
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2021-24683
Matching Score-4
Assigner-WPScan
ShareView Details
Matching Score-4
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.11% / 29.65%
||
7 Day CHG~0.00%
Published-11 Oct, 2021 | 10:45
Updated-03 Aug, 2024 | 19:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weather Effect < 1.3.4 - CSRF to Stored Cross-Site Scripting

The Weather Effect WordPress plugin before 1.3.4 does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue.

Action-Not Available
Vendor-UnknownA WP Life
Product-weather_effectWeather Effect – Christmas Santa Snow Falling
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2020-8292
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-5.4||MEDIUM
EPSS-0.34% / 56.40%
||
7 Day CHG~0.00%
Published-21 Jan, 2021 | 19:13
Updated-04 Aug, 2024 | 09:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Rocket.Chat server before 3.9.0 is vulnerable to a self cross-site scripting (XSS) vulnerability via the drag & drop functionality in message boxes.

Action-Not Available
Vendor-rocket.chatn/a
Product-rocket.chatRocket.Chat server
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found