Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-43079 | 1 Train Scheduler App Project | 1 Train Scheduler App | 2025-05-05 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in /admin/add-fee.php of Train Scheduler App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter.
|
|||||
| CVE-2022-43078 | 1 Web-based Student Clearance System Project | 1 Web-based Student Clearance System | 2025-05-05 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in /admin/add-fee.php of Web-Based Student Clearance System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cmddept parameter.
|
|||||
| CVE-2022-43076 | 1 Web-based Student Clearance System Project | 1 Web-based Student Clearance System | 2025-05-05 | N/A | 4.8 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in /admin/edit-admin.php of Web-Based Student Clearance System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtemail parameter.
|
|||||
| CVE-2022-3469 | 1 Marcomilesi | 1 Wp Attachments | 2025-05-05 | N/A | 4.8 MEDIUM |
|
The WP Attachments WordPress plugin before 5.0.5 does not sanitize and escapes some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
|
|||||
| CVE-2022-43361 | 1 Slims | 1 Senayan Library Management System | 2025-05-05 | N/A | 4.8 MEDIUM |
|
Senayan Library Management System v9.4.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the component pop_chart.php.
|
|||||
| CVE-2022-43082 | 1 Fast Food Ordering System Project | 1 Fast Food Ordering System | 2025-05-05 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in /fastfood/purchase.php of Fast Food Ordering System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the customer parameter.
|
|||||
| CVE-2022-42753 | 1 Salonerp Project | 1 Salonerp | 2025-05-05 | N/A | 6.1 MEDIUM |
|
SalonERP version 3.0.2 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the page parameter against XSS attacks.
|
|||||
| CVE-2022-42750 | 1 Auieo | 1 Candidats | 2025-05-05 | N/A | 8.8 HIGH |
|
CandidATS version 3.0.0 allows an external attacker to steal the cookie of arbitrary users. This is possible because the application does not correctly validate the files uploaded by the user.
|
|||||
| CVE-2022-42749 | 1 Auieo | 1 Candidats | 2025-05-05 | N/A | 6.1 MEDIUM |
|
CandidATS version 3.0.0 on 'page' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
|
|||||
| CVE-2022-42748 | 1 Auieo | 1 Candidats | 2025-05-05 | N/A | 6.1 MEDIUM |
|
CandidATS version 3.0.0 on 'sortDirection' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
|
|||||
| CVE-2022-42747 | 1 Auieo | 1 Candidats | 2025-05-05 | N/A | 6.1 MEDIUM |
|
CandidATS version 3.0.0 on 'sortBy' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
|
|||||
| CVE-2022-42746 | 1 Auieo | 1 Candidats | 2025-05-05 | N/A | 6.1 MEDIUM |
|
CandidATS version 3.0.0 on 'indexFile' of the 'ajax.php' resource, allows an external attacker to steal the cookie of arbitrary users. This is possible because the application application does not properly validate user input against XSS attacks.
|
|||||
| CVE-2022-41435 | 1 Openwrt | 1 Luci | 2025-05-05 | N/A | 5.4 MEDIUM |
|
OpenWRT LuCI version git-22.140.66206-02913be was discovered to contain a stored cross-site scripting (XSS) vulnerability in the component /system/sshkeys.js. This vulnerability allows attackers to execute arbitrary web scripts or HTML via crafted public key comments.
|
|||||
| CVE-2022-30615 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-05 | N/A | 5.4 MEDIUM |
|
"IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227592.
|
|||||
| CVE-2022-43372 | 1 Emlog | 1 Emlog | 2025-05-05 | N/A | 4.8 MEDIUM |
|
Emlog Pro v1.7.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability at /admin/store.php.
|
|||||
| CVE-2022-43982 | 1 Apache | 1 Airflow | 2025-05-02 | N/A | 6.1 MEDIUM |
|
In Apache Airflow versions prior to 2.4.2, the "Trigger DAG with config" screen was susceptible to XSS attacks via the `origin` query argument.
|
|||||
| CVE-2022-43670 | 1 Apache | 1 Sling Cms | 2025-05-02 | N/A | 5.4 MEDIUM |
|
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.0 and prior may allow an authenticated remote attacker to perform a reflected cross site scripting (XSS) attack in the taxonomy management feature.
|
|||||
| CVE-2022-40840 | 1 Ndk-design | 1 Ndkadvancedcustomizationfields | 2025-05-02 | N/A | 6.1 MEDIUM |
|
ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Cross Site Scripting (XSS) via createPdf.php.
|
|||||
| CVE-2022-35642 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2025-05-02 | N/A | 5.4 MEDIUM |
|
"IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 227592."
|
|||||
| CVE-2021-46846 | 2 Hp, Hpe | 45 3par Service Processor, Apollo R2000 Chassis, Integrated Lights-out 5 Firmware and 42 more | 2025-05-02 | N/A | 6.4 MEDIUM |
|
Cross Site Scripting vulnerability in Hewlett Packard Enterprise Integrated Lights-Out 5.
|
|||||
| CVE-2024-27684 | 1 Dlink | 2 Go-rt-ac750, Go-rt-ac750 Firmware | 2025-05-02 | N/A | 6.1 MEDIUM |
|
A Cross-site scripting (XSS) vulnerability in dlapn.cgi, dldongle.cgi, dlcfg.cgi, fwup.cgi and seama.cgi in D-Link GORTAC750_A1_FW_v101b03 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
|
|||||
| CVE-2022-44724 | 1 Stiltsoft | 1 Handy Macros For Confluence | 2025-05-02 | N/A | 8.9 HIGH |
|
The Handy Tip macro in Stiltsoft Handy Macros for Confluence Server/Data Center 3.x before 3.5.5 allows remote attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability.
|
|||||
| CVE-2022-3721 | 1 Froxlor | 1 Froxlor | 2025-05-02 | N/A | 4.6 MEDIUM |
|
Code Injection in GitHub repository froxlor/froxlor prior to 0.10.39.
|
|||||
| CVE-2022-2904 | 1 Gitlab | 1 Gitlab | 2025-05-02 | N/A | 7.3 HIGH |
|
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 It was possible to exploit a vulnerability in the external status checks feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
|
|||||
| CVE-2021-39473 | 1 Hotelmanager Project | 1 Hotelmanager | 2025-05-02 | N/A | 5.4 MEDIUM |
|
Saibamen HotelManager v1.2 is vulnerable to Cross Site Scripting (XSS) due to improper sanitization of comment and contact fields.
|
|||||
| CVE-2025-4100 | 2025-05-02 | N/A | 6.4 MEDIUM | ||
|
The Nautic Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'np_marinetraffic_map' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-4075 | 2025-05-02 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability was found in VMSMan up to 20250416. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Email with the input "><script>alert(1)</script> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-1529 | 2025-05-02 | N/A | 6.4 MEDIUM | ||
|
The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3670 | 2025-05-02 | N/A | 6.4 MEDIUM | ||
|
The KiwiChat NextClient plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-4131 | 2025-05-02 | N/A | 6.4 MEDIUM | ||
|
The GmapsMania plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gmap shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-5032 | 1 Toolstack | 1 Sully | 2025-05-02 | N/A | 4.7 MEDIUM |
|
The SULly WordPress plugin before 4.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2024-5074 | 1 Tipsandtricks-hq | 1 Wp Emember | 2025-05-02 | N/A | 5.4 MEDIUM |
|
The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
|
|||||
| CVE-2022-3462 | 1 Highlight Focus Project | 1 Highlight Focus | 2025-05-01 | N/A | 4.8 MEDIUM |
|
The Highlight Focus WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2022-3265 | 1 Gitlab | 1 Gitlab | 2025-05-01 | N/A | 7.3 HIGH |
|
A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side.
|
|||||
| CVE-2024-37384 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2025-05-01 | N/A | 6.1 MEDIUM |
|
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
|
|||||
| CVE-2024-4621 | 1 Reputeinfosystems | 1 Arforms | 2025-05-01 | N/A | 4.8 MEDIUM |
|
The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-4934 | 1 Expresstech | 1 Quiz And Survey Master | 2025-05-01 | N/A | 5.5 MEDIUM |
|
The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 does not validate and escape some of its Quiz fields before outputting them back in a page/post where the Quiz is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2024-6130 | 1 10web | 1 Form Maker | 2025-05-01 | N/A | 4.8 MEDIUM |
|
The Form Maker by 10Web WordPress plugin before 1.15.26 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2022-43144 | 1 Canteen Management System Project | 1 Canteen Management System | 2025-05-01 | N/A | 5.4 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in Canteen Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
|
|||||
| CVE-2022-41434 | 1 Eyesofnetwork | 1 Web Interface | 2025-05-01 | N/A | 6.1 MEDIUM |
|
EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /lilac/main.php.
|
|||||