CVSS: 7.3EPSS: %CPEs: 1EXPL: 0CVE-2024-45799 – Javascript Injection in Vending Info/Buyers Info Module in FluxCP
https://notcve.org/view.php?id=CVE-2024-45799
A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. • https://github.com/rathena/FluxCP/security/advisories/GHSA-xvqv-25vf-88g4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.3EPSS: %CPEs: 2EXPL: 0CVE-2024-45801 – Tampering by prototype polution in DOMPurify
https://notcve.org/view.php?id=CVE-2024-45801
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. ... This renders dompurify unable to avoid cross site scripting (XSS) attacks. • https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674 https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 4.6EPSS: %CPEs: 2EXPL: 0CVE-2024-8661 – Stored XSS in the "Next&Previous Nav" block
https://notcve.org/view.php?id=CVE-2024-8661
Concrete CMS versions 9.0.0 to 9.3.4 and below 8.5.18 are vulnerable to Stored XSS in the "Next&Previous Nav" block. • https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes https://github.com/concretecms/concretecms/commit/ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4 https://github.com/concretecms/concretecms/pull/12204 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.3EPSS: %CPEs: 1EXPL: 0CVE-2024-46970
https://notcve.org/view.php?id=CVE-2024-46970
In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible En JetBrains IntelliJ IDEA antes de 2024.1 era posible la inyección de HTML a través del nombre del proyecto • https://www.jetbrains.com/privacy-security/issues-fixed • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: %CPEs: 1EXPL: 0CVE-2024-8776 – INTUMIT SmartRobot - Cross-site Scripting
https://notcve.org/view.php?id=CVE-2024-8776
SmartRobot from INTUMIT does not properly validate a specific page parameter, allowing unautheticated remote attackers to inject JavaScript code to the parameter for Reflected Cross-site Scripting attacks. • https://www.twcert.org.tw/en/cp-139-8070-d10bc-2.html https://www.twcert.org.tw/tw/cp-132-8069-73393-1.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •