Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10to8 Sign In Scheduling Online Appointment Booking System allows Stored XSS.This issue affects Sign In Scheduling Online Appointment Booking System: from n/a through 1.0.9.



**Solution**

 No fix available

 vPatch available

No patched version is available.

Found this useful? Thank Ngô Thiên An (ancorn\_ from VNPT-VCI) for reporting this vulnerability. Buy a coffee ☕

Ngô Thiên An (ancorn\_ from VNPT-VCI) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress 10to8 Online Appointment Booking System Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-49173: WordPress 10to8 Online Appointment Booking System plugin <= 1.0.9 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Phillips Nested Pages allows Stored XSS.This issue affects Nested Pages: from n/a through 3.2.6.



**Solution**

 No fix available

No patched version is available.

emad discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Nested Pages Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**Other vulnerabilities in this plugin**

 1 present

 4 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-49195: WordPress Nested Pages plugin <= 3.2.6 - Cross Site Scripting (XSS) vulnerability - Patchstack

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) in the site management office.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-50137: CVE/3/There is a storage type xss in the site management office.md at main · yukino-hiki/CVE

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) via carousel image editing.

CVE-2023-50100: cms/There is a storage type XSS for carousel image editing.md at master · Jarvis-616/cms

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS) via Label management editing.

CVE-2023-50101: cms/Label management editing with stored XSS.md at master · Jarvis-616/cms

JFinalcms 5.0.0 is vulnerable to Cross Site Scripting (XSS).

CVE-2023-50102: cms/Content data exists in storage XSS for editing.md at master · Jarvis-616/cms

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Uroševi? Stock Ticker allows Reflected XSS.This issue affects Stock Ticker: from n/a through 3.23.2.



**Solution**

 Update to fix

 vPatch available

Update the WordPress Stock Ticker plugin to the latest available version (at least 3.23.3).

Aman Rawat discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Stock Ticker Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 3.23.3.

**Other vulnerabilities in this plugin**

 0 present

 3 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2022-45365: WordPress Stock Ticker plugin <= 3.23.2 - Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack


Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. 



**Impact**

High

**Details**

Proprietary Code CVEs 

Description 

CVSS Base Score 

CVSS Vector String 

CVE-2023-44286 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code to a victim user's DOM environment in the browser. .  Exploitation may lead to information disclosure, session theft, or client-side request forgery. 

8.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2023-48668 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 on DDMC contain an OS command injection vulnerability in an admin operation. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the managed system application's underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker on a managed system of DDMC. 

8.2 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2023-44285  

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44277  

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48667 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS to bypass security restriction. Exploitation may lead to a system take over by an attacker. 

7.2 

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44279  

Dell PowerProtect DD , versions prior to 7.13.0.10,  LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A local high privileged attacker could potentially exploit this vulnerability, to bypass security restrictions. Exploitation may lead to a system take over by an attacker. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44278 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110  contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44284 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing unauthorized read access to application data. 

 4.3 

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Proprietary Code CVEs 

Description 

CVSS Base Score 

CVSS Vector String 

CVE-2023-44286 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a DOM-based Cross-Site Scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the injection of malicious HTML or JavaScript code to a victim user's DOM environment in the browser. .  Exploitation may lead to information disclosure, session theft, or client-side request forgery. 

8.8 

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2023-48668 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 on DDMC contain an OS command injection vulnerability in an admin operation. A local high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the managed system application's underlying OS with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker on a managed system of DDMC. 

8.2 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2023-44285  

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an improper access control vulnerability. A local malicious user with low privileges could potentially exploit this vulnerability leading to escalation of privilege. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44277  

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker. 

7.8 

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-48667 

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A remote high privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS to bypass security restriction. Exploitation may lead to a system take over by an attacker. 

7.2 

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44279  

Dell PowerProtect DD , versions prior to 7.13.0.10,  LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in administrator CLI. A local high privileged attacker could potentially exploit this vulnerability, to bypass security restrictions. Exploitation may lead to a system take over by an attacker. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44278 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110  contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application. 

6.7 

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2023-44284 

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an SQL Injection vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing unauthorized read access to application data. 

 4.3 

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

CVEs Addressed                    

Product 

Affected Versions 

Remediated Versions 

Link 

CVE-2023-44286,  CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 

Dell PowerProtect DD series appliances 

Dell PowerProtect DD Virtual Edition 

Dell APEX Protection Storage 

7.0 to 7.12.0.0 

7.13.0.10 and above   
or   
7.10.1.15 and above to stay on LTS2023 7.10   
or    
7.7.5.25 and above to stay on LTS2022 7.7 

For more details about DD OS software versions available for download, see the links below (requires log in to Dell Support to view articles):   
 

*   https://www.dell.com/support/kbdoc/ 000081247
    
*   https://www.dell.com/support/kbdoc/ 000014125525902 
    

6.2.1.100 and below 

6.2.1.110 and above 

CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278 

Dell PowerProtect DD management Center 

7.0 to 7.12.0.0 

7.13.0.10 and above    
or    
7.10.1.15 and above to stay on LTS2023 7.10    
or     
7.7.5.25 and above to stay on LTS2022 7.7 

6.2.1.100 and below   

6.2.1.110 and above   

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284   
 

PowerProtect DP Series Appliance (IDPA): All Models 

2.7.4 and below 

2.7.6 and above 

Expected Availability: December 21, 2023   

 CVE-2023-44284 

PowerProtect Data Manager Appliance model: DM5500  

5.14 and below 

5.15.0.0 and above 

To download (requires log in to Dell Support): https://dl.dell.com/downloads/HY8KV\_PowerProtect-Data-Manager-DM5500-Appliance-5.15.0.0-Upgrade-file.pkg 

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 

Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment 

7.0 to 7.12.0.0 

7.13.0.10 and above   
or   
7.10.1.15 and above to stay on LTS2023 7.10   
or    
7.7.5.25 and above to stay on LTS2022 7.7    
 

Contact customer support to schedule the code update. 

For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): 

*   https://www.dell.com/support/kbdoc/000081247 
    
*   https://www.dell.com/support/kbdoc/000014125
    

6.2.1.100 and below 

6.2.1.110 and above  

CVEs Addressed                    

Product 

Affected Versions 

Remediated Versions 

Link 

CVE-2023-44286,  CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 

Dell PowerProtect DD series appliances 

Dell PowerProtect DD Virtual Edition 

Dell APEX Protection Storage 

7.0 to 7.12.0.0 

7.13.0.10 and above   
or   
7.10.1.15 and above to stay on LTS2023 7.10   
or    
7.7.5.25 and above to stay on LTS2022 7.7 

For more details about DD OS software versions available for download, see the links below (requires log in to Dell Support to view articles):   
 

*   https://www.dell.com/support/kbdoc/ 000081247
    
*   https://www.dell.com/support/kbdoc/ 000014125525902 
    

6.2.1.100 and below 

6.2.1.110 and above 

CVE-2023-44286, CVE-2023-48668, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278 

Dell PowerProtect DD management Center 

7.0 to 7.12.0.0 

7.13.0.10 and above    
or    
7.10.1.15 and above to stay on LTS2023 7.10    
or     
7.7.5.25 and above to stay on LTS2022 7.7 

6.2.1.100 and below   

6.2.1.110 and above   

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284   
 

PowerProtect DP Series Appliance (IDPA): All Models 

2.7.4 and below 

2.7.6 and above 

Expected Availability: December 21, 2023   

 CVE-2023-44284 

PowerProtect Data Manager Appliance model: DM5500  

5.14 and below 

5.15.0.0 and above 

To download (requires log in to Dell Support): https://dl.dell.com/downloads/HY8KV\_PowerProtect-Data-Manager-DM5500-Appliance-5.15.0.0-Upgrade-file.pkg 

CVE-2023-44286, CVE-2023-44285, CVE-2023-44277, CVE-2023-48667, CVE-2023-44279, CVE-2023-44278, CVE-2023-44284 

Dell PowerProtect DD series appliances and Dell PowerProtect DD Virtual Edition leveraged in the Disk Library for Mainframe (DLm) environment 

7.0 to 7.12.0.0 

7.13.0.10 and above   
or   
7.10.1.15 and above to stay on LTS2023 7.10   
or    
7.7.5.25 and above to stay on LTS2022 7.7    
 

Contact customer support to schedule the code update. 

For more details about DDOS versions available for download, see the links below (requires log in to Dell Support to view articles): 

*   https://www.dell.com/support/kbdoc/000081247 
    
*   https://www.dell.com/support/kbdoc/000014125
    

6.2.1.100 and below 

6.2.1.110 and above  

Additional, related information is available at this Knowledgebase article KB000220263: Additional Information Regarding DSA-2023-412: Dell PowerProtect DD Vulnerabilities.  

Expected availability dates are subject to change.

**Acknowledgements**

CVE-2023-44279: Dell Technologies would like to thank Rushank Shetty and Ryan Kane (Security Researchers at Northwestern Mutual) for reporting this issue. 

CVE-2023-44277, CVE-2023-44284, CVE-2023-44286: Dell Technologies would like to thank Jakub Brzozowski (redfr0g), Franciszek Kalinowski, and Stanisław Koza from STM Cyber for reporting these issues. 

CVE-2023-44285: Dell Technologies would like to thank Jens Krüger from SAP for reporting this issue. 

**Revision History**

Revision 

Date 

Description 

1.0 

2023-12-13

Initial Release 

2.0

2023-12-13 

Updated for enhancement no change to content

3.0

2023-12-13 

• Updated "Affected Product" section under "Article Properties"  
• Added Additional details stating "The downloads will be made available shortly"

4.0

2023-12-13

Added Additional Acknowledgement in "Acknowledgements" section

5.0

2023-12-13

• Corrected link in the "Affected Products and Remediation" Table   
• Removed Additional Details statement "The downloads will be made available shortly"   
• Updated "Affected Product section under "Article Properties"

6.0

2023-12-13

Updated "Affected Product section under "Article Properties"

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

Data Backup & Protection Storage, Data Domain, PowerProtect Data Protection Appliance, PowerProtect Data Manager Appliance, DD3300 Appliance, Data Domain Deduplication Storage Systems, DD OS 6.2, DD OS, DD OS 6.0, DD OS 6.1, DD OS 7.0, DD OS 7.1 , DD OS 7.10, DD OS 7.11, DD OS 7.12, DD OS 7.2, DD OS 7.3, DD OS 7.4, DD OS 7.5, DD OS 7.6, DD OS 7.7, DD OS 7.8, DD OS 7.9, Data Domain Virtual Edition, DD2200 Appliance, DD6300 Appliance, DD6400 Appliance, DD6800 Appliance, DD6900 Appliance, DD9300 Appliance, DD9400 Appliance, DD9800 Appliance, DD9900 Appliance, Disk Library for mainframe, PowerProtect Data Domain Management Center, Integrated Data Protection Appliance Software, PowerProtect DM5500 ...

CVE-2023-44277: DSA-2023-412: Dell Technologies PowerProtect Security Update for Multiple Security Vulnerabilities

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPlus Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss allows Stored XSS.This issue affects Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss: from n/a through 2.4.0.



**Solution**

 Update to fix

 vPatch available

Update the WordPress BP Better Messages plugin to the latest available version (at least 2.4.1).

Found this useful? Thank Rafshanzani Suhada for reporting this vulnerability. Buy a coffee ☕

Rafshanzani Suhada discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress BP Better Messages Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.4.1.

**Other vulnerabilities in this plugin**

 0 present

 11 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-49168: WordPress BP Better Messages plugin <= 2.4.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo allows Stored XSS.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 6.4.2.



**Solution**

 Update to fix

Update the WordPress WooCommerce Payments plugin to the latest available version (at least 6.5.0).

Found this useful? Thank Rafie Muhammad (Patchstack) for reporting this vulnerability. Buy a coffee ☕

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WooCommerce Payments Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 6.5.0.

**Other vulnerabilities in this plugin**

 0 present

 4 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#xss