CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39910 – Cross-site scripting (XSS) in the decidim admin panel with QuillJS WYSWYG editor
https://notcve.org/view.php?id=CVE-2024-39910
The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. • https://github.com/decidim/decidim/security/advisories/GHSA-vvqw-fqwx-mqmm https://github.com/decidim/decidim/commit/47adca81cabea898005ec07b130b008f2a2be99f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-32034 – Cross-site scripting (XSS) in the decidim admin activity log
https://notcve.org/view.php?id=CVE-2024-32034
The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. • https://github.com/decidim/decidim/security/advisories/GHSA-rx9f-5ggv-5rh6 https://github.com/decidim/decidim/commit/23fc8d702a4976727f78617f5e42353d67931645 https://github.com/decidim/decidim/commit/9d79f09a2d38c87feb28725670d6cc1f55c22072 https://github.com/decidim/decidim/commit/e494235d559be13dd1f8694345e6f6bba762d1c0 https://github.com/decidim/decidim/commit/ff755e23814aeb56e9089fc08006a5d3faee47b6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45799 – Javascript Injection in Vending Info/Buyers Info Module in FluxCP
https://notcve.org/view.php?id=CVE-2024-45799
A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. • https://github.com/rathena/FluxCP/security/advisories/GHSA-xvqv-25vf-88g4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45801 – Tampering by prototype polution in DOMPurify
https://notcve.org/view.php?id=CVE-2024-45801
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. ... This renders dompurify unable to avoid cross site scripting (XSS) attacks. • https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674 https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8661 – Stored XSS in the "Next&Previous Nav" block
https://notcve.org/view.php?id=CVE-2024-8661
Concrete CMS versions 9.0.0 to 9.3.4 and below 8.5.18 are vulnerable to Stored XSS in the "Next&Previous Nav" block. ... Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.18 are vulnerable to Stored XSS in the "Next&Previous Nav" block. • https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes https://github.com/concretecms/concretecms/commit/ce5ee2ab83fe8de6fa012dd51c5a1dde05cb0dc4 https://github.com/concretecms/concretecms/pull/12204 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •