CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2024-40857
https://notcve.org/view.php?id=CVE-2024-40857
Processing maliciously crafted web content may lead to universal cross site scripting. • https://support.apple.com/en-us/121238 https://support.apple.com/en-us/121240 https://support.apple.com/en-us/121241 https://support.apple.com/en-us/121248 https://support.apple.com/en-us/121249 https://support.apple.com/en-us/121250 •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45800 – Multiple mXSS found in snappymail HTML parser
https://notcve.org/view.php?id=CVE-2024-45800
Snappymail is an open source web-based email client. SnappyMail uses the `cleanHtml()` function to cleanup HTML and CSS in emails. Research discovered that the function has a few bugs which cause an mXSS exploit. Because the function allowed too many (invalid) HTML elements, it was possible (with incorrect markup) to trick the browser to "fix" the broken markup into valid markup. As a result a motivated attacker may be able to inject javascript. • https://github.com/the-djmaze/snappymail/blob/master/dev/Common/Html.js https://github.com/the-djmaze/snappymail/commit/cfbc47488a6b2e2ae4be484f501ee1a3485f542e https://github.com/the-djmaze/snappymail/security/advisories/GHSA-2rq7-79vp-ffxm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39910 – Cross-site scripting (XSS) in the decidim admin panel with QuillJS WYSWYG editor
https://notcve.org/view.php?id=CVE-2024-39910
The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. • https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32034 – Cross-site scripting (XSS) in the decidim admin activity log
https://notcve.org/view.php?id=CVE-2024-32034
The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. • https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6 https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645 https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072 https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0 https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45799 – Javascript Injection in Vending Info/Buyers Info Module in FluxCP
https://notcve.org/view.php?id=CVE-2024-45799
A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. • https://github.com/rathena/FluxCP/security/advisories/GHSA-xvqv-25vf-88g4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •