CVSS: 6.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-6581 – Remote Code Execution due to Stored XSS in parisneo/lollms
https://notcve.org/view.php?id=CVE-2024-6581
Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. • https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd https://huntr.com/bounties/ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-10461 – firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
https://notcve.org/view.php?id=CVE-2024-10461
In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header was not respected and did not force a download, which could allow XSS attacks. ... The Mozilla Foundation's Security Advisory: In multipart/x-mixed-replace responses, `Content-Disposition: attachment` in the response header is not respected and does not force a download, which could allow cross-site scripting (XSS) attacks. • id=1914521 https://www.mozilla.org/security/advisories/mfsa2024-55 https://www.mozilla.org/security/advisories/mfsa2024-56 https://www.mozilla.org/security/advisories/mfsa2024-58 https://www.mozilla.org/security/advisories/mfsa2024-59 https://access.redhat.com/security/cve/CVE-2024-10461 https://bugzilla.redhat.com/show_bug.cgi? • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45477 – Apache NiFi: Improper Neutralization of Input in Parameter Description
https://notcve.org/view.php?id=CVE-2024-45477
Apache NiFi 1.10.0 through 1.27.0 and 2.0.0-M1 through 2.0.0-M3 support a description field for Parameters in a Parameter Context configuration that is vulnerable to cross-site scripting. ... Apache NiFi 1.10.0 a 1.27.0 y 2.0.0-M1 a 2.0.0-M3 admiten un campo de descripción para los parámetros en una configuración de contexto de parámetros que es vulnerable a cross-site scripting. • https://lists.apache.org/thread/shdv0tw9hggj7tx9pl7g93mgok2lwbj9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.1EPSS: 0%CPEs: 2EXPL: 1CVE-2024-10479 – LinZhaoguan pb-cms Theme Management Module admin#themes cross site scripting
https://notcve.org/view.php?id=CVE-2024-10479
The manipulation leads to cross site scripting. ... Mittels Manipulieren mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. • https://gitee.com/LinZhaoguan/pb-cms/issues/IAYHUP https://vuldb.com/?ctiid.282090 https://vuldb.com/?id.282090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10226 – Arconix Shortcodes <= 2.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via box Shortcode
https://notcve.org/view.php?id=CVE-2024-10226
The Arconix Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'box' shortcode in all versions up to, and including, 2.1.13 due to insufficient input sanitization and output escaping on user supplied attributes. • source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •