Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-45799 | 1 Rathena | 1 Fluxcp | 2025-04-23 | N/A | 7.3 HIGH |
|
FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a result all logged in to fluxcp users can have their session info stolen. This issue has been addressed in release version 1.3. All users are advised to upgrade. There are no known workarounds for this vuln ...
Show More |
|||||
| CVE-2024-28199 | 1 Phlex | 1 Phlex | 2025-04-23 | N/A | 7.1 HIGH |
|
phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when renderi ...
Show More |
|||||
| CVE-2022-4765 | 1 Pwrplugins | 1 Portfolio For Elementor | 2025-04-23 | N/A | 5.4 MEDIUM |
|
The Portfolio for Elementor WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
|
|||||
| CVE-2025-29512 | 1 Nodebb | 1 Nodebb | 2025-04-23 | N/A | 6.1 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code and potentially render the blacklist IP functionality unusable until content is removed via the database.
|
|||||
| CVE-2024-1720 | 1 Wpeverest | 1 User Registration \& Membership | 2025-04-23 | N/A | 4.7 MEDIUM |
|
The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering ...
Show More |
|||||
| CVE-2025-29513 | 1 Nodebb | 1 Nodebb | 2025-04-23 | N/A | 6.1 MEDIUM |
|
Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and before allows remote attackers to store arbitrary code in the admin API Access token generator.
|
|||||
| CVE-2023-5243 | 1 Login Screen Manager Project | 1 Login Screen Manager | 2025-04-23 | N/A | 4.8 MEDIUM |
|
The Login Screen Manager WordPress plugin through 3.5.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2023-5229 | 1 E2pdf | 1 E2pdf | 2025-04-23 | N/A | 4.8 MEDIUM |
|
The E2Pdf WordPress plugin before 1.20.20 does not sanitize and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2023-4823 | 1 Prasadkirpekar | 1 Wp Meta And Date Remover | 2025-04-23 | N/A | 5.4 MEDIUM |
|
The WP Meta and Date Remover WordPress plugin before 2.2.0 provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site Scripting.
|
|||||
| CVE-2023-4390 | 1 Ays-pro | 1 Popup Box | 2025-04-23 | N/A | 4.8 MEDIUM |
|
The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).
|
|||||
| CVE-2023-3245 | 1 Premio | 1 Chaty | 2025-04-23 | N/A | 4.8 MEDIUM |
|
The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2023-37519 | 1 Hcltech | 1 Bigfix Platform | 2025-04-23 | N/A | 7.7 HIGH |
|
Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. This XSS vulnerability is in the Download Status Report, which is served by the BigFix Server.
|
|||||
| CVE-2022-43369 | 1 Phpgurukul | 1 Auto\/taxi Stand Management System | 2025-04-23 | N/A | 6.1 MEDIUM |
|
AutoTaxi Stand Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component search.php.
|
|||||
| CVE-2022-37406 | 1 Ricoh | 2 Aficio Sp 4210n, Aficio Sp 4210n Firmware | 2025-04-23 | N/A | 4.8 MEDIUM |
|
Cross-site scripting vulnerability in Aficio SP 4210N firmware versions prior to Web Support 1.05 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.
|
|||||
| CVE-2020-36656 | 1 Brainstormforce | 1 Spectra | 2025-04-23 | N/A | 5.4 MEDIUM |
|
The Spectra WordPress plugin before 1.15.0 does not sanitize user input as it reaches its style HTML attribute, allowing contributors to conduct stored XSS attacks via the plugin's Gutenberg blocks.
|
|||||
| CVE-2025-3421 | 1 Wpeverest | 1 Everest Forms | 2025-04-23 | N/A | 6.1 MEDIUM |
|
The Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'form_id' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-4310 | 1 Ofofonobsdev | 1 Hubbank | 2025-04-23 | N/A | 6.3 MEDIUM |
|
Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover.
|
|||||
| CVE-2017-18591 | 1 Dev4press | 1 Gd Rating System | 2025-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The gd-rating-system plugin before 2.1 for WordPress has XSS in log.php.
|
|||||
| CVE-2025-29710 | 1 Torrahclef | 1 Company Website Cms | 2025-04-23 | N/A | 6.1 MEDIUM |
|
SourceCodester Company Website CMS 1.0 is vulnerable to Cross Site Scripting (XSS) via /dashboard/Services.
|
|||||
| CVE-2023-24203 | 1 Oretnom23 | 1 Simple Customer Relationship Management System | 2025-04-23 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting vulnerability in SourceCodester Simple Customer Relationship Management System v1.0 allows attacker to execute arbitary code via the company or query parameter(s).
|
|||||
| CVE-2025-29471 | 1 Nagios | 1 Log Server | 2025-04-23 | N/A | 8.3 HIGH |
|
Cross Site Scripting vulnerability in Nagios Log Server v.2024R1.3.1 allows a remote attacker to execute arbitrary code via a payload into the Email field.
|
|||||
| CVE-2024-10680 | 1 10web | 1 Form Maker | 2025-04-23 | N/A | 4.8 MEDIUM |
|
The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2023-50175 | 1 Weseek | 1 Growi | 2025-04-23 | N/A | 5.4 MEDIUM |
|
Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
|
|||||
| CVE-2023-45740 | 1 Weseek | 1 Growi | 2025-04-23 | N/A | 5.4 MEDIUM |
|
Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the site using the product.
|
|||||
| CVE-2022-46687 | 1 Jenkins | 1 Spring Config | 2025-04-23 | N/A | 5.4 MEDIUM |
|
Jenkins Spring Config Plugin 2.0.0 and earlier does not escape build display names shown on the Spring Config view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to change build display names.
|
|||||
| CVE-2022-46686 | 1 Jenkins | 1 Custom Build Properties | 2025-04-23 | N/A | 5.4 MEDIUM |
|
Jenkins Custom Build Properties Plugin 2.79.vc095ccc85094 and earlier does not escape property values and build display names on the Custom Build Properties and Build Summary pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to set or change these values.
|
|||||
| CVE-2022-46684 | 1 Jenkins | 1 Checkmarx | 2025-04-23 | N/A | 5.4 MEDIUM |
|
Jenkins Checkmarx Plugin 2022.3.3 and earlier does not escape values returned from the Checkmarx service API before inserting them into HTML reports, resulting in a stored cross-site scripting (XSS) vulnerability.
|
|||||
| CVE-2022-44361 | 1 Zzcms | 1 Zzcms | 2025-04-23 | N/A | 5.4 MEDIUM |
|
An issue was discovered in ZZCMS 2022. There is a cross-site scripting (XSS) vulnerability in admin/ad_list.php.
|
|||||
| CVE-2022-44153 | 1 Rapidscada | 1 Rapid Scada | 2025-04-23 | N/A | 6.1 MEDIUM |
|
Rapid Software LLC Rapid SCADA 5.8.4 is vulnerable to Cross Site Scripting (XSS).
|
|||||
| CVE-2022-42486 | 1 Basercms | 1 Basercms | 2025-04-23 | N/A | 4.8 MEDIUM |
|
Stored cross-site scripting vulnerability in User group management of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.
|
|||||
| CVE-2008-2991 | 1 Adobe | 1 Robohelp Server | 2025-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 and 7 allows remote attackers to inject arbitrary web script or HTML via vectors related to the Help Errors log.
|
|||||
| CVE-2008-0642 | 1 Adobe | 1 Robohelp | 2025-04-23 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in files created by Adobe RoboHelp 6 and 7, possibly involving use of a (1) WebHelp5 (WebHelp5Ext) or (2) WildFire (WildFireExt) extension, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2007-1280.
|
|||||
| CVE-2024-40507 | 1 Openpetra | 1 Openpetra | 2025-04-23 | N/A | 7.3 HIGH |
|
Cross Site Scripting vulnerability in openPetra v.2023.02 allows a remote attacker to obtain sensitive information via the serverMPersonnel.asmx function.
|
|||||
| CVE-2024-40508 | 1 Openpetra | 1 Openpetra | 2025-04-23 | N/A | 7.3 HIGH |
|
Cross Site Scripting vulnerability in openPetra v.2023.02 allows a remote attacker to obtain sensitive information via the serverMConference.asmx function.
|
|||||
| CVE-2024-40511 | 1 Openpetra | 1 Openpetra | 2025-04-23 | N/A | 7.3 HIGH |
|
Cross Site Scripting vulnerability in openPetra v.2023.02 allows a remote attacker to obtain sensitive information via the serverMServerAdmin.asmx function.
|
|||||
| CVE-2024-40512 | 1 Openpetra | 1 Openpetra | 2025-04-23 | N/A | 7.3 HIGH |
|
Cross Site Scripting vulnerability in openPetra v.2023.02 allows a remote attacker to obtain sensitive information via the serverMReporting.asmx function.
|
|||||
| CVE-2024-40506 | 1 Openpetra | 1 Openpetra | 2025-04-23 | N/A | 7.3 HIGH |
|
Cross Site Scripting vulnerability in openPetra v.2023.02 allows a remote attacker to obtain sensitive information via the serverMHospitality.asmx function.
|
|||||
| CVE-2022-41994 | 1 Basercms | 1 Basercms | 2025-04-23 | N/A | 4.8 MEDIUM |
|
Stored cross-site scripting vulnerability in Permission Settings of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.
|
|||||
| CVE-2022-3838 | 1 Wpupper Share Buttons Project | 1 Wpupper Share Buttons | 2025-04-23 | N/A | 4.8 MEDIUM |
|
The WPUpper Share Buttons WordPress plugin through 3.42 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2022-25630 | 1 Symantec | 1 Messaging Gateway | 2025-04-23 | N/A | 5.4 MEDIUM |
|
An authenticated user can embed malicious content with XSS into the admin group policy page.
|
|||||