Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-31741 | 1 1234n | 1 Minicms | 2025-04-18 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in MiniCMS v.1.11 allows a remote attacker to run arbitrary code via crafted string in the URL after login.
|
|||||
| CVE-2024-2603 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-04-18 | N/A | 6.3 MEDIUM |
|
The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin (or editor depending on Salon booking system WordPress plugin through 9.6.5 configuration) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-31609 | 1 Bosscms | 1 Bosscms | 2025-04-18 | N/A | 7.1 HIGH |
|
Cross Site Scripting (XSS) vulnerability in BOSSCMS v3.10 allows attackers to run arbitrary code via the header code and footer code fields in code configuration.
|
|||||
| CVE-2024-55342 | 1 Dotnetfoundation | 1 Piranha Cms | 2025-04-18 | N/A | 4.7 MEDIUM |
|
A file upload functionality in Piranha CMS 11.1 allows authenticated remote attackers to upload a crafted PDF file to /manager/media. This PDF can contain malicious JavaScript code, which is executed when a victim user opens or interacts with the PDF in their web browser, leading to a XSS vulnerability.
|
|||||
| CVE-2020-22540 | 1 Codologic | 1 Codoforum | 2025-04-18 | N/A | 5.4 MEDIUM |
|
Stored Cross-Site Scripting (XSS) vulnerability in Codoforum v4.9, allows attackers to execute arbitrary code and obtain sensitive information via crafted payload to Category name component.
|
|||||
| CVE-2024-32505 | 1 Wpmet | 1 Elements Kit Elementor Addons | 2025-04-18 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wpmet Elements kit Elementor addons allows Stored XSS.This issue affects Elements kit Elementor addons: from n/a through 3.0.6.
|
|||||
| CVE-2024-4061 | 1 Ays-pro | 1 Survey Maker | 2025-04-18 | N/A | 4.8 MEDIUM |
|
The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-51055 | 1 Hoosk | 1 Hoosk | 2025-04-18 | N/A | 6.5 MEDIUM |
|
An issue Hoosk v1.7.1 allows a remote attacker to execute arbitrary code via a crafted script to the config.php component.
|
|||||
| CVE-2023-46950 | 1 Contribsys | 1 Sidekiq | 2025-04-18 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted URL to the filter functions.
|
|||||
| CVE-2023-46951 | 1 Contribsys | 1 Sidekiq | 2025-04-18 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Contribsys Sidekiq v.6.5.8 allows a remote attacker to obtain sensitive information via a crafted payload to the uniquejobs function.
|
|||||
| CVE-2022-36223 | 1 Emby | 1 Emby | 2025-04-18 | N/A | 6.1 MEDIUM |
|
In Emby Server 4.6.7.0, the playlist name field is vulnerable to XSS stored where it is possible to steal the administrator access token and flip or steal the media server administrator account.
|
|||||
| CVE-2024-24511 | 1 Pkp.sfu | 1 Open Journal Systems | 2025-04-18 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the Input Title component.
|
|||||
| CVE-2024-24512 | 1 Pkp.sfu | 1 Open Journal Systems | 2025-04-18 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in Pkp OJS v.3.4 allows an attacker to execute arbitrary code via the input subtitle component.
|
|||||
| CVE-2024-30618 | 1 Chamilo | 1 Chamilo Lms | 2025-04-18 | N/A | 6.1 MEDIUM |
|
A Stored Cross-Site Scripting (XSS) Vulnerability in Chamilo LMS 1.11.26 allows a remote attacker to execute arbitrary JavaScript in a web browser by including a malicious payload in the 'content' parameter of 'group_topics.php'.
|
|||||
| CVE-2024-27525 | 1 Chamilo | 1 Chamilo Lms | 2025-04-18 | N/A | 4.6 MEDIUM |
|
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the home.php component.
|
|||||
| CVE-2024-3755 | 1 Mf Gig Calendar Project | 1 Mf Gig Calendar | 2025-04-18 | N/A | 5.4 MEDIUM |
|
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-33859 | 1 Logpoint | 1 Siem | 2025-04-18 | N/A | 6.1 MEDIUM |
|
An issue was discovered in Logpoint before 7.4.0. HTML code sent through logs wasn't being escaped in the "Interesting Field" Web UI, leading to XSS.
|
|||||
| CVE-2025-26153 | 2025-04-18 | N/A | 5.4 MEDIUM | ||
|
A Stored XSS vulnerability exists in the message compose feature of Chamilo LMS 1.11.28. Attackers can inject malicious scripts into messages, which execute when victims, such as administrators, reply to the message.
|
|||||
| CVE-2024-51142 | 1 Chamilo | 1 Chamilo Lms | 2025-04-18 | N/A | 5.4 MEDIUM |
|
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows an attacker to execute arbitrary code via the svkey parameter of the storageapi.php file.
|
|||||
| CVE-2024-13347 | 1 Smartdatasoft | 1 Essential Wp Real Estate | 2025-04-18 | N/A | 6.8 MEDIUM |
|
The Essential WP Real Estate WordPress plugin through 1.1.3 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.
|
|||||
| CVE-2025-22664 | 1 Ays-pro | 1 Survey Maker | 2025-04-18 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Survey Maker team Survey Maker allows Stored XSS. This issue affects Survey Maker: from n/a through 5.1.3.5.
|
|||||
| CVE-2025-24028 | 1 Joplin Project | 1 Joplin | 2025-04-18 | N/A | 7.8 HIGH |
|
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is `cross-origin isolated`, which prevents JavaScript from directly accessing functions/variables in the toplev ...
Show More |
|||||
| CVE-2025-25988 | 1 Hoosk | 1 Hoosk | 2025-04-18 | N/A | 4.8 MEDIUM |
|
Cross Site Scripting vulnerability in hooskcms v.1.8 allows a remote attacker to cause a denial of service via the custom Link title parameter and the Title parameter.
|
|||||
| CVE-2025-25990 | 1 Hoosk | 1 Hoosk | 2025-04-18 | N/A | 6.1 MEDIUM |
|
Cross Site Scripting vulnerability in hooskcms v.1.7.1 allows a remote attacker to obtain sensitive information via the /install/index.php component.
|
|||||
| CVE-2024-50426 | 1 Ays-pro | 1 Survey Maker | 2025-04-18 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Survey Maker team Survey Maker allows Stored XSS.This issue affects Survey Maker: from n/a through 5.0.2.
|
|||||
| CVE-2024-2593 | 1 Amss\+\+ Project | 1 Amss\+\+ | 2025-04-17 | N/A | 7.1 HIGH |
|
Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/modules/book/main/bookdetail_group.php, in the 'b_id' parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
|
|||||
| CVE-2023-5980 | 1 Bannersky | 1 Bsk Forms Blacklist | 2025-04-17 | N/A | 4.8 MEDIUM |
|
The BSK Forms Blacklist WordPress plugin before 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-2598 | 1 Amss\+\+ Project | 1 Amss\+\+ | 2025-04-17 | N/A | 7.1 HIGH |
|
Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/modules/book/main/select_send_2.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
|
|||||
| CVE-2024-2597 | 1 Amss\+\+ Project | 1 Amss\+\+ | 2025-04-17 | N/A | 7.1 HIGH |
|
Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/modules/book/main/bookdetail_school_person.php, in the 'b_id' parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
|
|||||
| CVE-2024-2596 | 1 Amss\+\+ Project | 1 Amss\+\+ | 2025-04-17 | N/A | 7.1 HIGH |
|
Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/modules/mail/main/select_send.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
|
|||||
| CVE-2024-2595 | 1 Amss\+\+ Project | 1 Amss\+\+ | 2025-04-17 | N/A | 7.1 HIGH |
|
Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/modules/book/main/bookdetail_khet_person.php, in the 'b_id' parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
|
|||||
| CVE-2024-2594 | 1 Amss\+\+ Project | 1 Amss\+\+ | 2025-04-17 | N/A | 7.1 HIGH |
|
Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/admin/index.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
|
|||||
| CVE-2025-24909 | 2025-04-17 | N/A | 4.4 MEDIUM | ||
|
Overview
The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. (CWE-79)
Description
Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, allow a malicious URL to inject content into the Analyzer plugin interface.
Impact
Once the malicious script is injected, the attacker can perform a ...
Show More |
|||||
| CVE-2025-27284 | 2025-04-17 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in divspark Flagged Content allows Reflected XSS. This issue affects Flagged Content: from n/a through 1.0.2.
|
|||||
| CVE-2025-24621 | 2025-04-17 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tychesoftwares Arconix Shortcodes allows Reflected XSS. This issue affects Arconix Shortcodes: from n/a through 2.1.15.
|
|||||
| CVE-2025-24586 | 2025-04-17 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bitsstech Shipment Tracker for Woocommerce allows Reflected XSS. This issue affects Shipment Tracker for Woocommerce: from n/a through 1.4.23.
|
|||||
| CVE-2025-22692 | 2025-04-17 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rachanaS Sponsered Link allows Reflected XSS. This issue affects Sponsered Link: from n/a through 4.0.
|
|||||
| CVE-2025-23782 | 2025-04-17 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TotalSuite TotalContest Lite allows Reflected XSS. This issue affects TotalContest Lite: from n/a through 2.8.1.
|
|||||
| CVE-2025-24640 | 2025-04-17 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan-Lucian Stefancu Empty Tags Remover allows Reflected XSS. This issue affects Empty Tags Remover: from n/a through 1.0.
|
|||||
| CVE-2025-24745 | 2025-04-17 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Classified Listing allows Reflected XSS. This issue affects Classified Listing: from n/a through 4.0.1.
|
|||||