Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-3613 | 2025-04-15 | 4.0 MEDIUM | 3.5 LOW | ||
|
A vulnerability has been found in Demtec Graphytics 5.0.7 and classified as problematic. This vulnerability affects unknown code of the file /visualization. The manipulation of the argument description leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-26745 | 2025-04-15 | N/A | 6.5 MEDIUM | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RSTheme RS Elements Elementor Addon allows Stored XSS. This issue affects RS Elements Elementor Addon: from n/a through 1.1.5.
|
|||||
| CVE-2025-26954 | 2025-04-15 | N/A | 7.1 HIGH | ||
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 1pluginjquery ZooEffect allows Reflected XSS. This issue affects ZooEffect: from n/a through 1.11.
|
|||||
| CVE-2025-3612 | 2025-04-15 | 5.0 MEDIUM | 4.3 MEDIUM | ||
|
A vulnerability, which was classified as problematic, was found in Demtec Graphytics 5.0.7. This affects an unknown part of the file /visualization of the component HTTP GET Parameter Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-3573 | 2025-04-15 | N/A | 6.1 MEDIUM | ||
|
Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary.
|
|||||
| CVE-2022-40956 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 6.1 MEDIUM |
|
When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. This vulnerability affects Firefox ESR < 102.3, Thunderbird < 102.3, and Firefox < 105.
|
|||||
| CVE-2022-3033 | 1 Mozilla | 1 Thunderbird | 2025-04-15 | N/A | 8.1 HIGH |
|
If a Thunderbird user replied to a crafted HTML email containing a <code>meta</code> tag, with the <code>meta</code> tag having the <code>http-equiv="refresh"</code> attribute, and the content attribute specifying an URL, then Thunderbird started a network request to that URL, regardless of the configuration to block remote content. In combination with certain other HTML elements and attributes in the email, it was possible to execute JavaScript code included in the message in the context of the ...
Show More |
|||||
| CVE-2024-40036 | 1 Idccms | 1 Idccms | 2025-04-15 | N/A | 8.8 HIGH |
|
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/userGroup_deal.php?mudi=add&nohrefStr=close
|
|||||
| CVE-2024-40333 | 1 Idccms | 1 Idccms | 2025-04-15 | N/A | 8.8 HIGH |
|
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/softBak_deal.php?mudi=del&dataID=2
|
|||||
| CVE-2024-40336 | 1 Idccms | 1 Idccms | 2025-04-15 | N/A | 6.1 MEDIUM |
|
idccms v1.35 is vulnerable to Cross Site Scripting (XSS) within the 'Image Advertising Management.'
|
|||||
| CVE-2022-43271 | 1 Inhabit | 1 Move Crm | 2025-04-15 | N/A | 5.4 MEDIUM |
|
Inhabit Systems Pty Ltd Move CRM version 4, build 260 was discovered to contain a cross-site scripting (XSS) vulnerability via the User profile component.
|
|||||
| CVE-2024-2289 | 1 Ideabox | 1 Powerpack For Beaver Builder | 2025-04-15 | N/A | 6.4 MEDIUM |
|
The PowerPack Lite for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the link in multiple elements in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-12239 | 1 Ideabox | 1 Powerpack For Beaver Builder | 2025-04-15 | N/A | 6.1 MEDIUM |
|
The PowerPack Lite for Beaver Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the navigate parameter in all versions up to, and including, 1.3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.
|
|||||
| CVE-2024-37409 | 1 Ideabox | 1 Powerpack For Beaver Builder | 2025-04-15 | N/A | 5.9 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Beaver Addons PowerPack Lite for Beaver Builder allows Stored XSS.This issue affects PowerPack Lite for Beaver Builder: from n/a through 1.3.0.4.
|
|||||
| CVE-2022-0176 | 1 Ideabox | 1 Powerpack For Beaver Builder | 2025-04-15 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The PowerPack Lite for Beaver Builder WordPress plugin before 1.2.9.3 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2022-45411 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 6.1 MEDIUM |
|
Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies inaccessible to JavaScript (such as cookies protected by HTTPOnly). To mitigate this attack, browsers placed limits on <code>fetch()</code> and XMLHttpRequest; however some webservers have implemented non-standard headers such as <code>X-Http-Method-Override</code> that override the HTTP method, and made this attack possible again. Thunderbi ...
Show More |
|||||
| CVE-2022-45408 | 1 Mozilla | 3 Firefox, Firefox Esr, Thunderbird | 2025-04-15 | N/A | 6.5 MEDIUM |
|
Through a series of popups that reuse windowName, an attacker can cause a window to go fullscreen without the user seeing the notification prompt, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox ESR < 102.5, Thunderbird < 102.5, and Firefox < 107.
|
|||||
| CVE-2024-43330 | 1 Ideabox | 1 Powerpack For Beaver Builder | 2025-04-15 | N/A | 7.1 HIGH |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in IdeaBox Creations PowerPack for Beaver Builder allows Reflected XSS.This issue affects PowerPack for Beaver Builder: from n/a before 2.37.4.
|
|||||
| CVE-2024-7895 | 1 Fastlinemedia | 1 Beaver Builder | 2025-04-15 | N/A | 6.4 MEDIUM |
|
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 2.8.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2025-3036 | 1 Yzk2356911358 | 1 Studentservlet-jsp | 2025-04-15 | 3.3 LOW | 2.4 LOW |
|
A vulnerability, which was classified as problematic, was found in yzk2356911358 StudentServlet-JSP cc0cdce25fbe43b6c58b60a77a2c85f52d2102f5/d4d7a0643f1dae908a4831206f2714b21820f991. This affects an unknown part of the component Student Management Handler. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide c ...
Show More |
|||||
| CVE-2025-3057 | 1 Drupal | 1 Drupal | 2025-04-15 | N/A | 6.1 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.
|
|||||
| CVE-2022-46877 | 2 Debian, Mozilla | 2 Debian Linux, Firefox | 2025-04-15 | N/A | 4.3 MEDIUM |
|
By confusing the browser, the fullscreen notification could have been delayed or suppressed, resulting in potential user confusion or spoofing attacks. This vulnerability affects Firefox < 108.
|
|||||
| CVE-2022-44380 | 1 Snipeitapp | 1 Snipe-it | 2025-04-15 | N/A | 5.4 MEDIUM |
|
Snipe-IT before 6.0.14 is vulnerable to Cross Site Scripting (XSS) for View Assigned Assets.
|
|||||
| CVE-2022-44012 | 1 Simmeth | 1 Lieferantenmanager | 2025-04-15 | N/A | 5.4 MEDIUM |
|
An issue was discovered in /DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnId in Simmeth Lieferantenmanager before 5.6. An attacker can execute JavaScript code in the browser of the victim if a site is loaded. The victim's encrypted password can be stolen and most likely be decrypted.
|
|||||
| CVE-2025-29389 | 1 Pbootcms | 1 Pbootcms | 2025-04-15 | N/A | 6.1 MEDIUM |
|
PbootCMS v3.2.9 contains a XSS vulnerability in admin.php?p=/Content/index/mcode/2#tab=t2.
|
|||||
| CVE-2022-2846 | 1 Dwbooster | 1 Calendar Event Multi View | 2025-04-15 | N/A | 4.3 MEDIUM |
|
The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it.
|
|||||
| CVE-2024-11447 | 2025-04-14 | N/A | 6.1 MEDIUM | ||
|
The Community by PeepSo – Download from PeepSo.com plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filter’ parameter in all versions up to, and including, 7.0.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
|
|||||
| CVE-2022-29853 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 5.4 MEDIUM |
|
OX App Suite through 8.2 allows XSS via a certain complex hierarchy that forces use of Show Entire Message for a huge HTML e-mail message.
|
|||||
| CVE-2022-29852 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 5.4 MEDIUM |
|
OX App Suite through 8.2 allows XSS because BMFreehand10 and image/x-freehand are not blocked.
|
|||||
| CVE-2021-30134 | 6 Ht Slider Range For Amazon Affiliates Project, Php Curl Class Project, Ptwooplugins and 3 more | 6 Ht Slider Range For Amazon Affiliates, Php Curl Class, Invoicing With Invoicexpress For Woocommerce and 3 more | 2025-04-14 | N/A | 6.1 MEDIUM |
|
php-mod/curl (a wrapper of the PHP cURL extension) before 2.3.2 allows XSS via the post_file_path_upload.php key parameter and the POST data to post_multidimensional.php.
|
|||||
| CVE-2025-1665 | 1 Theme-fusion | 1 Avada Builder | 2025-04-14 | N/A | 6.4 MEDIUM |
|
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 3.11.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2024-12477 | 1 Theme-fusion | 1 Avada Builder | 2025-04-14 | N/A | 6.4 MEDIUM |
|
The Avada Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.11.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
|
|||||
| CVE-2022-4336 | 1 Bt | 1 Baota | 2025-04-14 | N/A | 5.4 MEDIUM |
|
In BAOTA linux panel there exists a stored xss vulnerability attackers can use to obtain sensitive information via the log analysis feature.
|
|||||
| CVE-2022-45892 | 1 Planetestream | 1 Planet Estream | 2025-04-14 | N/A | 5.4 MEDIUM |
|
In Planet eStream before 6.72.10.07, multiple Stored Cross-Site Scripting (XSS) vulnerabilities exist: Disclaimer, Search Function, Comments, Batch editing tool, Content Creation, Related Media, Create new user, and Change Username.
|
|||||
| CVE-2022-45890 | 1 Planetestream | 1 Planet Estream | 2025-04-14 | N/A | 6.1 MEDIUM |
|
In Planet eStream before 6.72.10.07, a Reflected Cross-Site Scripting (XSS) vulnerability exists via any metadata filter field (e.g., search within Default.aspx with the r or fo parameter).
|
|||||
| CVE-2024-44676 | 1 Eladmin | 1 Eladmin | 2025-04-14 | N/A | 4.8 MEDIUM |
|
eladmin v2.7 and before is vulnerable to Cross Site Scripting (XSS) which allows an attacker to execute arbitrary code via LocalStoreController. java.
|
|||||
| CVE-2021-44855 | 1 Mediawiki | 1 Mediawiki | 2025-04-14 | N/A | 5.4 MEDIUM |
|
An issue was discovered in MediaWiki before 1.35.5, 1.36.x before 1.36.3, and 1.37.x before 1.37.1. There is Blind Stored XSS via a URL to the Upload Image feature.
|
|||||
| CVE-2025-30292 | 1 Adobe | 1 Coldfusion | 2025-04-14 | N/A | 6.1 MEDIUM |
|
ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.
|
|||||
| CVE-2022-37310 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 6.1 MEDIUM |
|
OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.
|
|||||
| CVE-2022-37309 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 6.1 MEDIUM |
|
OX App Suite through 7.10.6 allows XSS via script code within a contact that has an e-mail address but lacks a name.
|
|||||