Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-37308 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 6.1 MEDIUM |
|
OX App Suite through 7.10.6 allows XSS via HTML in text/plain e-mail messages.
|
|||||
| CVE-2022-37307 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 6.1 MEDIUM |
|
OX App Suite through 7.10.6 allows XSS via XHTML CDATA for a snippet, as demonstrated by the onerror attribute of an IMG element within an e-mail signature.
|
|||||
| CVE-2022-36664 | 1 Adiscon | 1 Password Manager For Iis | 2025-04-14 | N/A | 6.1 MEDIUM |
|
Password Manager for IIS 2.0 has a cross-site scripting (XSS) vulnerability via the /isapi/PasswordManager.dll ResultURL parameter.
|
|||||
| CVE-2022-31469 | 1 Open-xchange | 1 Open-xchange Appsuite | 2025-04-14 | N/A | 6.1 MEDIUM |
|
OX App Suite through 7.10.6 allows XSS via a deep link, as demonstrated by class="deep-link-app" for a /#!!&app=%2e./ URI.
|
|||||
| CVE-2024-53967 | 1 Adobe | 1 Experience Manager | 2025-04-14 | N/A | 5.4 MEDIUM |
|
Adobe Experience Manager versions 6.5.21 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code in the context of the victim's browser session. By manipulating the DOM environment in the victim's browser, a low privileged attacker can inject malicious scripts that are executed by the victim's browser. Exploitation of this issue requires user interaction, typically in the form of following a malicious link.
|
|||||
| CVE-2024-53968 | 1 Adobe | 1 Experience Manager | 2025-04-14 | N/A | 5.4 MEDIUM |
|
Adobe Experience Manager versions 6.5.21 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code in the context of the victim's browser session. By manipulating the DOM environment in the victim's browser, a low privileged attacker can inject malicious scripts that are executed by the victim's browser. Exploitation of this issue requires user interaction, typically in the form of following a malicious link.
|
|||||
| CVE-2024-53969 | 1 Adobe | 1 Experience Manager | 2025-04-14 | N/A | 5.4 MEDIUM |
|
Adobe Experience Manager versions 6.5.21 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code in the context of the victim's browser session. By manipulating the DOM environment in the victim's browser, a low privileged attacker can inject malicious scripts that are executed by the victim's browser. Exploitation of this issue requires user interaction, typically in the form of following a malicious link.
|
|||||
| CVE-2024-53970 | 1 Adobe | 1 Experience Manager | 2025-04-14 | N/A | 5.4 MEDIUM |
|
Adobe Experience Manager versions 6.5.21 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.
|
|||||
| CVE-2024-39311 | 1 Publify | 2 Publify, Publify Core | 2025-04-14 | N/A | 5.4 MEDIUM |
|
Publify is a self hosted Web publishing platform on Rails. Prior to version 10.0.1 of Publify, corresponding to versions prior to 10.0.2 of the `publify_core` rubygem, publisher on a `publify` application is able to perform a cross-site scripting (XSS) attack on an administrator using the redirect functionality. The exploitation of this XSS vulnerability requires the administrator to click a malicious link. An attack could attempt to hide their payload by using HTML, or other encodings, as to no ...
Show More |
|||||
| CVE-2024-33424 | 1 Cmsimple | 1 Cmsimple | 2025-04-14 | N/A | 6.1 MEDIUM |
|
A cross-site scripting (XSS) vulnerability in the Settings menu of CMSimple v5.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Downloads parameter under the Language section.
|
|||||
| CVE-2024-2837 | 1 Ninjateam | 1 Wp Chat App | 2025-04-14 | N/A | 5.4 MEDIUM |
|
The WP Chat App WordPress plugin before 3.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
|
|||||
| CVE-2024-2439 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-04-14 | N/A | 4.8 MEDIUM |
|
The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
|
|||||
| CVE-2024-35739 | 1 Radiustheme | 1 The Post Grid | 2025-04-14 | N/A | 6.5 MEDIUM |
|
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in RadiusTheme The Post Grid allows Stored XSS.This issue affects The Post Grid: from n/a through 7.7.1.
|
|||||
| CVE-2022-4242 | 1 Ljapps | 1 Wp Google Review Slider | 2025-04-14 | N/A | 4.8 MEDIUM |
|
The WP Google Review Slider WordPress plugin before 11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
|
|||||
| CVE-2024-32392 | 1 Cmsimple | 1 Cmsimple | 2025-04-14 | N/A | 4.5 MEDIUM |
|
Cross Site Scripting vulnerability in CmSimple v.5.15 allows a remote attacker to execute arbitrary code via the functions.php component.
|
|||||
| CVE-2024-2102 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-04-14 | N/A | 4.7 MEDIUM |
|
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious script is executed in the admin context.
|
|||||
| CVE-2024-2101 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-04-14 | N/A | 5.7 MEDIUM |
|
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the admin context.
|
|||||
| CVE-2023-40277 | 1 Openclinic Ga Project | 1 Openclinic Ga | 2025-04-14 | N/A | 6.1 MEDIUM |
|
An issue was discovered in OpenClinic GA 5.247.01. A Reflected Cross-Site Scripting (XSS) vulnerability has been discovered in the login.jsp message parameter.
|
|||||
| CVE-2023-49540 | 1 Oretnom23 | 1 Book Store Management System | 2025-04-14 | N/A | 6.1 MEDIUM |
|
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/history. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the history parameter.
|
|||||
| CVE-2023-49539 | 1 Oretnom23 | 1 Book Store Management System | 2025-04-14 | N/A | 6.1 MEDIUM |
|
Book Store Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in /bsms_ci/index.php/category. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the category parameter.
|
|||||
| CVE-2024-11916 | 1 Wpextended | 1 Wp Extended | 2025-04-14 | N/A | 7.4 HIGH |
|
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification and retrieval of data due to a missing capability check on several functions in all versions up to, and including, 3.0.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to import and activate arbitrary code snippets along with
|
|||||
| CVE-2014-8352 | 1 French National Commission On Informatics And Liberty | 1 Cookieviz | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in json.php in French National Commission on Informatics and Liberty (aka CNIL) CookieViz allows remote we servers to inject arbitrary web script or HTML via the max_date parameter.
|
|||||
| CVE-2014-6175 | 1 Ibm | 1 Marketing Operations | 2025-04-12 | 3.5 LOW | N/A |
|
Cross-site scripting (XSS) vulnerability in IBM Marketing Operations 7.x and 8.x before 8.5.0.7.2, 8.6.x before 8.6.0.8, 9.0.x before 9.0.0.4.1, 9.1.0.x before 9.1.0.5, and 9.1.1.x before 9.1.1.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2015-7385 | 1 Open-xchange | 1 Ox Guard | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in Open-Xchange OX Guard before 2.0.0-rev11 allows remote attackers to inject arbitrary web script or HTML via the uid field in a PGP public key, which is not properly handled in "Guard PGP Settings."
|
|||||
| CVE-2013-1804 | 1 Php-fusion | 1 Php-fusion | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Multiple cross-site scripting (XSS) vulnerabilities in PHP-Fusion before 7.02.06 allow remote attackers to inject arbitrary web script or HTML via the (1) highlight parameter to forum/viewthread.php; or remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (2) user_list or (3) user_types parameter to messages.php; (4) message parameter to infusions/shoutbox_panel/shoutbox_admin.php; (5) message parameter to administration/news.php; (6) panel_list para ...
Show More |
|||||
| CVE-2015-5456 | 1 Pivotx | 1 Pivotx | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in the form method in modules/formclass.php in PivotX before 2.3.11 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO, related to the "PHP_SELF" variable and form actions.
|
|||||
| CVE-2015-1629 | 1 Microsoft | 1 Exchange Server | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "ExchangeDLP Cross Site Scripting Vulnerability."
|
|||||
| CVE-2015-4665 | 1 Xceedium | 1 Xsuite | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in ajax_cmd.php in Xceedium Xsuite 2.4.4.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the fileName parameter.
|
|||||
| CVE-2014-4161 | 1 Sap | 1 Supplier Relationship Management | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in la/umTestSSO.jsp in SAP Supplier Relationship Management (SRM) allows remote attackers to inject arbitrary web script or HTML via the url parameter.
|
|||||
| CVE-2016-1565 | 1 Field Group Project | 1 Field Group | 2025-04-12 | 3.5 LOW | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the Field Group module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with permission to configure field display settings to inject arbitrary web script or HTML via an element attribute.
|
|||||
| CVE-2015-8759 | 1 Typo3 | 1 Typo3 | 2025-04-12 | 3.5 LOW | 5.4 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in the typoLink function in TYPO3 6.2.x before 6.2.16 and 7.x before 7.6.1 allows remote authenticated editors to inject arbitrary web script or HTML via a link field.
|
|||||
| CVE-2015-4206 | 1 Cisco | 1 Unified Communications Manager | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cisco Unified Communications Manager (UCM) 8.0 through 8.6 allows remote attackers to bypass an XSS protection mechanism via a crafted parameter, aka Bug ID CSCuu15266.
|
|||||
| CVE-2015-5002 | 1 Ibm | 1 Host On-demand | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in IBM Host On-Demand 11.0 through 11.0.14 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
|
|||||
| CVE-2014-0957 | 1 Ibm | 2 Business Process Manager, Websphere Application Server | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager 7.5 through 8.5.5, and WebSphere Lombardi Edition 7.2, allows remote attackers to inject arbitrary web script or HTML via a crafted URL that triggers a service failure.
|
|||||
| CVE-2016-10083 | 1 Piwigo | 1 Piwigo | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case.
|
|||||
| CVE-2014-6294 | 1 External Links Click Statistics Project | 1 External Links Click Statistics | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Cross-site scripting (XSS) vulnerability in the External links click statistics (outstats) extension 0.0.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2014-9272 | 2 Debian, Mantisbt | 2 Debian Linux, Mantisbt | 2025-04-12 | 4.3 MEDIUM | N/A |
|
The string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol.
|
|||||
| CVE-2016-6643 | 1 Emc | 1 Vipr Srm | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 3.7.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2015-1516 | 1 Polycom | 1 Realpresence Cloudaxis Suite | 2025-04-12 | 3.5 LOW | N/A |
|
Cross-site scripting (XSS) vulnerability in Polycom RealPresence CloudAXIS Suite before 1.7.0 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
|
|||||
| CVE-2016-3971 | 1 Dotcms | 1 Dotcms | 2025-04-12 | 3.5 LOW | 4.8 MEDIUM |
|
Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout.
|
|||||