CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50892 – WordPress TheGem Theme <= 5.9.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-50892
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme allows Reflected XSS.This issue affects TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme: from n/a through 5.9.1. La neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en CodexThemes TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme permite XSS reflejado. Este problema afecta a TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme: desde n/ a hasta 5.9.1. The TheGem theme for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to, and including, 5.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/thegem/wordpress-thegem-theme-5-9-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2022-23474 – editor.js contains Code Injection
https://notcve.org/view.php?id=CVE-2022-23474
Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0. Editor.js es un editor de estilo de bloque con salida JSON limpia. • https://github.com/codex-team/editor.js/pull/2100 https://securitylab.github.com/advisories/GHSL-2022-028_codex-team_editor_js • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43635
https://notcve.org/view.php?id=CVE-2021-43635
A Cross Site Scripting (XSS) vulnerability exists in Codex before 1.4.0 via Notebook/Page name field, which allows malicious users to execute arbitrary code via a crafted http code in a .json file. Se presenta una vulnerabilidad de tipo Cross Site Scripting (XSS) en Codex versiones anteriores a 1.4.0, por medio del campo Notebook/Page name, que permite a usuarios maliciosos ejecutar código arbitrario por medio de un código http diseñado en un archivo .json • https://github.com/jcv8000/Codex https://github.com/jcv8000/Codex/issues/8 https://github.com/jcv8000/Codex/releases/tag/v1.4.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •