Floodlight version 1.2 and earlier contains a Cross Site Scripting (XSS) vulnerability in the web console that can result in javascript injections into the web page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
RisingStack protect version 1.2.0 and earlier contains a Cross Site Scripting (XSS) vulnerability in isXss() function in lib/rules/xss.js that can result in dangerous XSS strings being validated as. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through 17.6 that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
D-Link DIR-615 T1 devices allow XSS via the Add User feature. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A denial of service vulnerability exists in Schneider Electric's MiCOM Px4x (P540 range excluded) with legacy Ethernet board, MiCOM P540D Range with Legacy Ethernet Board, and MiCOM Px4x Rejuvenated. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Parsedown version prior to 1.7.0 contains a Cross Site Scripting (XSS) vulnerability in `setMarkupEscaped` for escaping HTML that can result in JavaScript code execution. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Zulip Server versions before 1.7.2, there was an XSS issue with stream names in topic typeahead. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Zulip Server versions 1.5.x, 1.6.x, and 1.7.x before 1.7.2, there was an XSS issue with muting notifications. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Zulip Server versions before 1.7.2, there were XSS issues with the frontend markdown processor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Mautic before v2.13.0 has stored XSS via a theme config file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
tlslite-ng version 0.7.3 and earlier, since commit d7b288316bca7bcdd082e6ccff5491e241305233 contains a CWE-354: Improper Validation of Integrity Check Value vulnerability in TLS implementation,. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
nmap version 6.49BETA6 through 7.60, up to and including SVN revision 37147 contains a Directory Traversal vulnerability in NSE script http-fetch that can result in file overwrite as the user is. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Zulip Server versions before 1.7.2, there was an XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An information disclosure vulnerability exists In Schneider Electric's 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.