Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5134 | 1 Project Team | 1 Tmall Demo | 2025-06-03 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability classified as problematic was found in Tmall Demo up to 20250505. Affected by this vulnerability is an unknown functionality of the component Buy Item Page. The manipulation of the argument Detailed Address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases ar ...
Show More |
|||||
| CVE-2025-5133 | 1 Project Team | 1 Tmall Demo | 2025-06-03 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability classified as problematic has been found in Tmall Demo up to 20250505. Affected is an unknown function of the component Search Box. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this dis ...
Show More |
|||||
| CVE-2024-51099 | 1 Phpgurukul | 1 Medical Card Generation System | 2025-06-03 | N/A | 6.1 MEDIUM |
|
A reflected cross-site scripting (XSS) vulnerability in the component mcgs/download-medical-cards.php of PHPGURUKUL Medical Card Generation System using PHP and MySQL v1.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the searchdata parameter.
|
|||||
| CVE-2025-5181 | 1 Summerpearlgroup | 1 Vacation Rental Management Platform | 2025-06-03 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. This affects an unknown part of the file /spgpm/updateListing. The manipulation of the argument spgLsTitle leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.
|
|||||
| CVE-2025-5179 | 1 Realcetecnologia | 1 Queue Ticket Kiosk | 2025-06-03 | 3.3 LOW | 2.4 LOW |
|
A vulnerability classified as problematic was found in Realce Tecnologia Queue Ticket Kiosk up to 20250517. Affected by this vulnerability is an unknown functionality of the file /adm/index.php of the component Cadastro de Administrador Page. The manipulation of the argument Name/Usuário leads to cross site scripting. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-5177 | 1 Realcetecnologia | 1 Queue Ticket Kiosk | 2025-06-03 | 5.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in Realce Tecnologia Queue Ticket Kiosk up to 20250517. It has been rated as problematic. This issue affects some unknown processing of the file /adm/index.php of the component Admin Login Page. The manipulation of the argument Usuário leads to cross site scripting. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-21732 | 1 Flycms Project | 1 Flycms | 2025-06-03 | N/A | 6.1 MEDIUM |
|
FlyCms through abbaa5a allows XSS via the permission management feature.
|
|||||
| CVE-2023-6830 | 1 Strategy11 | 1 Formidable Form Builder | 2025-06-03 | N/A | 6.5 MEDIUM |
|
The Formidable Forms plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 6.7. This vulnerability allows unauthenticated users to inject arbitrary HTML code into form fields. When the form data is viewed by an administrator in the Entries View Page, the injected HTML code is rendered, potentially leading to admin area defacement or redirection to malicious websites.
|
|||||
| CVE-2023-6600 | 1 Daan | 1 Omgf | 2025-06-03 | N/A | 8.6 HIGH |
|
The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init in all versions up to, and including, 5.7.9. This makes it possible for unauthenticated attackers to update the plugin's settings which can be used to inject Cross-Site Scripting payloads and delete entire directories. PLease note there were seve ...
Show More |
|||||
| CVE-2023-52322 | 1 Spip | 1 Spip | 2025-06-03 | N/A | 6.1 MEDIUM |
|
ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2.7 allows XSS because input from _request() is not restricted to safe characters such as alphanumerics.
|
|||||
| CVE-2023-50982 | 1 Studip | 1 Stud.ip | 2025-06-03 | N/A | 9.0 CRITICAL |
|
Stud.IP 5.x through 5.3.3 allows XSS with resultant upload of executable files, because upload_action and edit_action in Admin_SmileysController do not check the file extension. This leads to remote code execution with the privileges of the www-data user. The fixed versions are 5.3.4, 5.2.6, 5.1.7, and 5.0.9.
|
|||||
| CVE-2023-50609 | 1 Ava | 1 Teaching Video Application Service Platform | 2025-06-03 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in AVA teaching video application service platform version 3.1, allows remote attackers to execute arbitrary code via a crafted script to ajax.aspx.
|
|||||
| CVE-2023-50136 | 1 Jfinalcms Project | 1 Jfinalcms | 2025-06-03 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the name field when creating a new custom table.
|
|||||
| CVE-2023-38827 | 1 Follettlearning | 1 Solutions Destiny | 2025-06-03 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Follet School Solutions Destiny v.20_0_1_AU4 and later allows a remote attacker to run arbitrary code via presentonesearchresultsform.do.
|
|||||
| CVE-2023-26998 | 1 Netscout | 1 Ngeniusone | 2025-06-03 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting vulnerability found in NetScoutnGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code via the creator parameter of the Alert Configuration page.
|
|||||
| CVE-2024-22776 | 1 Wallosapp | 1 Wallos | 2025-06-03 | N/A | 4.7 MEDIUM |
|
Wallos 0.9 is vulnerable to Cross Site Scripting (XSS) in all text-based input fields without proper validation, excluding those requiring specific formats like date fields.
|
|||||
| CVE-2024-51508 | 1 Tiki | 1 Tiki | 2025-06-03 | N/A | 4.8 MEDIUM |
|
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Index.
|
|||||
| CVE-2024-51509 | 1 Tiki | 1 Tiki | 2025-06-03 | N/A | 4.8 MEDIUM |
|
Tiki through 27.0 allows users who have certain permissions to insert a "Modules" (aka tiki-admin_modules.php) stored XSS payload in the Name.
|
|||||
| CVE-2024-51507 | 1 Tiki | 1 Tiki | 2025-06-03 | N/A | 4.8 MEDIUM |
|
Tiki through 27.0 allows users who have certain permissions to insert a "Create/Edit External Wiki" stored XSS payload in the Name.
|
|||||
| CVE-2024-51506 | 1 Tiki | 1 Tiki | 2025-06-03 | N/A | 4.8 MEDIUM |
|
Tiki through 27.0 allows users who have certain permissions to insert a "Create a Wiki Pages" stored XSS payload in the description.
|
|||||
| CVE-2024-23178 | 1 Mediawiki | 1 Mediawiki | 2025-06-03 | N/A | 5.4 MEDIUM |
|
An issue was discovered in the Phonos extension in MediaWiki before 1.40.2. PhonosButton.js allows i18n-based XSS via the phonos-purge-needed-error message.
|
|||||
| CVE-2024-23177 | 1 Mediawiki | 1 Mediawiki | 2025-06-03 | N/A | 6.1 MEDIUM |
|
An issue was discovered in the WatchAnalytics extension in MediaWiki before 1.40.2. XSS can occur via the Special:PageStatistics page parameter.
|
|||||
| CVE-2024-23173 | 1 Mediawiki | 1 Mediawiki | 2025-06-03 | N/A | 6.1 MEDIUM |
|
An issue was discovered in the Cargo extension in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. The Special:Drilldown page allows XSS via artist, album, and position parameters because of applied filter values in drilldown/CargoAppliedFilter.php.
|
|||||
| CVE-2024-22494 | 1 Jfinalcms Project | 1 Jfinalcms | 2025-06-03 | N/A | 5.4 MEDIUM |
|
A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save mobile parameter, which allows remote attackers to inject arbitrary web script or HTML.
|
|||||
| CVE-2024-22492 | 1 Jfinalcms Project | 1 Jfinalcms | 2025-06-03 | N/A | 5.4 MEDIUM |
|
A stored XSS vulnerability exists in JFinalcms 5.0.0 via the /gusetbook/save contact parameter, which allows remote attackers to inject arbitrary web script or HTML.
|
|||||
| CVE-2023-7071 | 1 Wpdeveloper | 1 Essential Blocks | 2025-06-03 | N/A | 6.4 MEDIUM |
|
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-6988 | 1 Extendthemes | 1 Colibri Page Builder | 2025-06-03 | N/A | 6.4 MEDIUM |
|
The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's extend_builder_render_js shortcode in all versions up to, and including, 1.0.239 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-6924 | 1 10web | 1 Photo Gallery | 2025-06-03 | N/A | 4.4 MEDIUM |
|
The Photo Gallery by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in versions up to, and including, 1.8.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. It can also be exploited with a contributor-level permission with ...
Show More |
|||||
| CVE-2023-6882 | 1 Simple-membership-plugin | 1 Simple Membership | 2025-06-03 | N/A | 6.1 MEDIUM |
|
The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘environment_mode’ parameter in all versions up to, and including, 4.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2023-6684 | 1 Vowelweb | 1 Ibtana | 2025-06-03 | N/A | 6.4 MEDIUM |
|
The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ive' shortcode in versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on 'width' and 'height' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-6050 | 1 Estatik | 1 Estatik | 2025-06-03 | N/A | 6.1 MEDIUM |
|
The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not sanitise and escape various parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2023-5691 | 1 Collect.chat | 1 Chatbot | 2025-06-03 | N/A | 4.4 MEDIUM |
|
The Chatbot for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 2.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
|
|||||
| CVE-2023-51068 | 1 Qstar | 1 Archive Storage Manager | 2025-06-03 | N/A | 5.4 MEDIUM |
|
An authenticated reflected cross-site scripting (XSS) vulnerability in QStar Archive Solutions Release RELEASE_3-0 Build 7 allows attackers to execute arbitrary javascript on a victim's browser via a crafted link.
|
|||||
| CVE-2023-51063 | 1 Qstar | 1 Archive Storage Manager | 2025-06-03 | N/A | 8.8 HIGH |
|
QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 was discovered to contain a DOM Based Reflected Cross Site Scripting (XSS) vulnerability within the component qnme-ajax?method=tree_level.
|
|||||
| CVE-2023-50072 | 1 Openkm | 1 Openkm | 2025-06-03 | N/A | 5.4 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) vulnerability exists in OpenKM version 7.1.40 (dbb6e88) With Professional Extension that allows an authenticated user to upload a note on a file which acts as a stored XSS payload. Any user who opens the note of a document file will trigger the XSS.
|
|||||
| CVE-2023-4960 | 1 Wclovers | 1 Wcfm Marketplace | 2025-06-03 | N/A | 6.4 MEDIUM |
|
The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfm_stores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2023-49260 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-03 | N/A | 6.1 MEDIUM |
|
An XSS attack can be performed by changing the MOTD banner and pointing the victim to the "terminal_tool.cgi" path. It can be used together with the vulnerability CVE-2023-49255.
|
|||||
| CVE-2023-49258 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-03 | N/A | 6.1 MEDIUM |
|
User browser may be forced to execute JavaScript and pass the authentication cookie to the attacker leveraging the XSS vulnerability located at "/gui/terminal_tool.cgi" in the "data" parameter.
|
|||||
| CVE-2025-5153 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-06-03 | 4.0 MEDIUM | 3.5 LOW |
|
A vulnerability, which was classified as problematic, has been found in CMS Made Simple 2.2.21. This issue affects some unknown processing of the component Design Manager Module. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-23782 | 1 Appleple | 1 A-blog Cms | 2025-06-02 | N/A | 5.4 MEDIUM |
|
Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier versions. If this vulnerability is exploited, a user with a contributor or higher privilege may execute an arbitrary script on the web browser of the user who accessed the website using the product.
|
|||||