Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-33231

XSS attack was possible in DPA 2023.2 due to insufficient input validation

CVE
Open in Source
#xss
GHSA-c9vx-2g7w-rp65: matrix-react-sdk vulnerable to XSS in Export Chat feature

### Description The Export Chat feature includes certain attacker-controlled elements in the generated document without sufficient escaping, leading to stored XSS. ### Impact Since the Export Chat feature generates a separate document, an attacker can only inject code run from the `null` origin, restricting the impact. However, the attacker can still potentially use the XSS to leak message contents. A malicious homeserver is a potential attacker since the affected inputs are controllable server-side. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds None, other than not using the Export Chat feature. ### References _Are there any links users can visit to find out more?_

CVE-2023-36384: WordPress Booking Calendar Contact Form plugin <= 1.2.40 - Cross Site Scripting (XSS) - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeople Booking Calendar Contact Form plugin <= 1.2.40 versions.

CVE-2023-36383: WordPress Event Manager and Tickets Selling Plugin for WooCommerce plugin <= 3.9.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce plugin <= 3.9.5 versions.

CVE-2023-24390: WordPress WeSecur Security plugin <= 1.2.1 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WeSecur Security plugin <= 1.2.1 versions.

CVE-2022-47421: WordPress ARMember plugin <= 4.0.4 - Stored Cross Site Scripting (XSS) on Common Messages Settings - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Repute InfoSystems ARMember (free), Repute InfoSystems ARMember (premium) plugins.

CVE-2023-32965: WordPress Jazz Popups plugin <= 1.8.7 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CRUDLab Jazz Popups plugin <= 1.8.7 versions.

Catpops Technobiz CMS 4.0 Cross Site Scripting

Catpops Technobiz CMS version 4.0 suffers from a cross site scripting vulnerability.

CVE-2023-2433: Changeset 2939617 for yet-another-related-posts-plugin/trunk/classes/YARPP_Core.php – WordPress Plugin Repository

The YARPP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'className' parameter in versions up to, and including, 5.30.3 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-3708: Multiple DeoThemes Themes <= (Various Versions) - Reflected Cross-Site Scripting — Wordfence Intelligence

Several themes for WordPress by DeoThemes are vulnerable to Reflected Cross-Site Scripting via breadcrumbs in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.