Export limit exceeded: 364488 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364488 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-1273 1 Squirrly 1 Starbox 2025-05-01 6.1 Medium
The Starbox WordPress plugin before 3.5.0 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
CVE-2024-28417 1 Webedition 1 Webedition Cms 2025-04-30 6.3 Medium
Webedition CMS 9.2.2.0 has a Stored XSS vulnerability via /webEdition/we_cmd.php.
CVE-2024-28418 1 Webedition 1 Webedition Cms 2025-04-30 6.5 Medium
Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition/we_cmd.php
CVE-2024-37622 2 Rockoa, Xinhu 2 Xinhu, Rockoa 2025-04-30 6.1 Medium
Xinhu RockOA v2.6.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the num parameter at /flow/flow.php.
CVE-2024-37623 1 Rockoa 1 Xinhu 2025-04-30 6.1 Medium
Xinhu RockOA v2.6.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the /kaoqin/tpl_kaoqin_locationchange.html component.
CVE-2024-38469 1 Ibarn Project 1 Ibarn 2025-04-30 6.3 Medium
zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the $search parameter at /pay.php.
CVE-2024-38470 1 Ibarn Project 1 Ibarn 2025-04-30 6.1 Medium
zhimengzhe iBarn v1.5 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the $search parameter at /own.php.
CVE-2024-37799 2 Code-projects, Codeprojects 2 Restaurant Reservation System, Restaurant Reservation System 2025-04-30 5.4 Medium
CodeProjects Restaurant Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the reserv_id parameter at view_reservations.php.
CVE-2024-38275 1 Moodle 1 Moodle 2025-04-30 7.5 High
The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
CVE-2024-4957 1 J-breuer 1 Frontend Checklist 2025-04-30 4.3 Medium
The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-4959 2 J-breuer, Jonas Breuer 2 Frontend Checklist, Frontend Checklist 2025-04-30 4.8 Medium
The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2024-21896 2 Nodejs, Redhat 3 Node.js, Nodejs, Enterprise Linux 2025-04-30 9.8 Critical
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-21892 3 Linux, Nodejs, Redhat 4 Linux Kernel, Node.js, Enterprise Linux and 1 more 2025-04-30 7.8 High
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
CVE-2024-21890 2 Nodejs, Redhat 2 Node.js, Enterprise Linux 2025-04-30 6.5 Medium
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-21891 2 Nodejs, Redhat 3 Node.js, Nodejs, Enterprise Linux 2025-04-30 8.8 High
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2023-32558 1 Nodejs 1 Node.js 2025-04-30 7.5 High
The use of the deprecated API `process.binding()` can bypass the permission model through path traversal. This vulnerability affects all users using the experimental permission model in Node.js 20.x. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2022-35256 5 Debian, Llhttp, Nodejs and 2 more 7 Debian Linux, Llhttp, Node.js and 4 more 2025-04-30 6.5 Medium
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
CVE-2022-32222 2 Nodejs, Siemens 2 Node.js, Sinec Ins 2025-04-30 5.3 Medium
A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3.
CVE-2022-32223 2 Microsoft, Nodejs 2 Windows, Node.js 2025-04-30 7.3 High
Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.
CVE-2022-32213 7 Debian, Fedoraproject, Llhttp and 4 more 9 Debian Linux, Fedora, Llhttp and 6 more 2025-04-30 6.5 Medium
The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS).